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Preface 

My objective in writing this book was to produce a general, comprehensive textbook that treats all the 
essential core areas of cryptography. Although many books and monographs on cryptography have been 
written in recent years, the majority of them tend to address specialized areas of cryptography. On the 
other hand, many of the existing general textbooks have become out-of-date due to the rapid expansion 
of research in cryptography in the past 15 years. 

I have taught a graduate level cryptography course at the University of Nebraska-Lincoln to computer 
science students, but I am aware that cryptography courses are offered at both the undergraduate and 
graduate levels in mathematics, computer science and electrical engineering departments. Thus, I tried to 
design the book to be flexible enough to be useful in a wide variety of approaches to the subject. 

Of course there are difficulties in trying to appeal to such a wide audience. But basically, I tried to do 
things in moderation. I have provided a reasonable amount of mathematical background where it is 
needed. I have attempted to give informal descriptions of the various cryptosystems, along with more 
precise pseudo-code descriptions, since I feel that the two approaches reinforce each other. As well, 
there are many examples to illustrate the workings of the algorithms. And in every case I try to explain 
the mathematical underpinnings; I believe that it is impossible to really understand how a cryptosystem 
works without understanding the underlying mathematical theory. 

The book is organized into three parts. The first part, Chapters 1-3, covers private-key cryptography. 
Chapters 4-9 concern the main topics in public-key cryptography. The remaining four chapters provide 
introductions to four active research areas in cryptography. 

The first part consists of the following material: Chapter 1 is a fairly elementary introduction to simple 
"classical" cryptosystems. Chapter 2 covers the main elements of Shannon's approach to cryptography, 
including the concept of perfect secrecy and the use of information theory in cryptography. Chapter 3 is 
a lengthy discussion of the Data Encryption Standard; it includes a treatment of differential 
cryptanalysis. 

The second part contains the following material: Chapter 4 concerns the RSA Public-key 
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Cryptosystem, together with a considerable amount of background on number-theoretic topics such as 
primality testing and factoring. Chapter 5 discusses some other public-key systems, the most important 
being the ElGamal System based on discrete logarithms. Chapter 6 deals with signature schemes, such 
as the Digital Signature Standard, and includes treatment of special types of signature schemes such as 
undeniable and fail-stop signature schemes. The subject of Chapter 7 is hash functions. Chapter 8 
provides an overview of the numerous approaches to key distribution and key agreement protocols. 
Finally, Chapter 9 describes identification schemes. 

The third part contains chapters on selected research-oriented topics, namely, authentication codes, 
secret sharing schemes, pseudo-random number generation, and zero-knowledge proofs. 

Thus, I have attempted to be quite comprehensive in the "core" areas of cryptography, as well as to 
provide some more advanced chapters on specific research areas. Within any given area, however, I try 
to pick a few representative systems and discuss them in a reasonable amount of depth. Thus my 
coverage of cryptography is in no way encyclopedic. 

Certainly there is much more material in this book than can be covered in one (or even two) semesters. 
But I hope that it should be possible to base several different types of courses on this book. An 
introductory course could cover Chapter 1, together with selected sections of Chapters 2-5. A second or 
graduate course could cover these chapters in a more complete fashion, as well as material from 
Chapters 6-9. Further, I think that any of the chapters would be a suitable basis for a "topics" course that 
might delve into specific areas more deeply. 

But aside from its primary purpose as a textbook, I hope that researchers and practitioners in 
cryptography will find it useful in providing an introduction to specific areas with which they might not 
be familiar. With this in mind, I have tried to provide references to the literature for further reading on 
many of the topics discussed. 

One of the most difficult things about writing this book was deciding how much mathematical 
background to include. Cryptography is a broad subject, and it requires knowledge of several areas of 
mathematics, including number theory, groups, rings and fields, linear algebra, probability and 
information theory. As well, some familiarity with computational complexity, algorithms and NP- 
completeness theory is useful. I have tried not to assume too much mathematical background, and thus I 
develop mathematical tools as they are needed, for the most part. But it would certainly be helpful for 
the reader to have some familiarity with basic linear algebra and modular arithmetic. On the other hand, 
a more specialized topic, such as the concept of entropy from information theory, is introduced from 
scratch. 

I should also apologize to anyone who does not agree with the phrase "Theory and Practice" in the title. 
I admit that the book is more theory than practice. What I mean by this phrase is that I have tried to 
select the material to be included in the book both on the basis of theoretical interest and practical 
importance. So, I may include systems that are not of practical use if they are mathematically elegant or 
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illustrate an important concept or technique. But, on the other hand, I do describe the most important 
systems that are used in practice, e.g., DES and other U. S. cryptographic standards. 

I would like to thank the many people who provided encouragement while I wrote this book, pointed out 
typos and errors, and gave me useful suggestions on material to include and how various topics should 
be treated. In particular, I would like to convey my thanks to Mustafa Atici, Mihir Bellare, Bob Blakley, 
Carlo Blundo, Gilles Brassard, Daniel Ducharme, Mike Dvorsky, Luiz Frota-Mattos, David Klarner, 
Don Kreher, Keith Martin, Vaclav Matyas, Alfred Menezes, Luke O'Connor, William Read, Phil 
Rogaway, Paul Van Oorschot, Scott Vanstone, Johan van Tilburg, Marc Vauclair and Mike Wiener. 
Thanks also to Mike Dvorsky for helping me prepare the index. 

Douglas R. Stinson 

The CRC Press Series on Discrete Mathematics and Its Applications 

Discrete mathematics is becoming increasingly applied to computer science, engineering, the physical 
sciences, the natural sciences, and the social sciences. Moreover, there has also been an explosion of 
research in discrete mathematics in the past two decades. Both trends have produced a need for many 
types of information for people who use or study this part of the mathematical sciences. The CRC Press 
Series on Discrete Mathematics and Its Applications is designed to meet the needs of practitioners, 
students, and researchers for information in discrete mathematics. The series includes handbooks and 
other reference books, advanced textbooks, and selected monographs. Among the areas of discrete 
mathematics addressed by the series are logic, set theory, number theory, combinatorics, discrete 
probability theory, graph theory, algebra, linear algebra, coding theory, cryptology, discrete 
optimization, theoretical computer science, algorithmics, and computational geometry. 

Kenneth H. Rosen, Series Editor 

Distinguished Member of Technical Staff 
AT&T Bell Laboratories 
Holmdel, New Jersey 
e-mail:krosen@ arch4.ho.att.com 

Advisory Board 

Charles Colbourn 

Department of Combinatorics and Optimization, University of Waterloo 
Jonathan Gross 

Department of Computer Science, Columbia University 

Andrew Odlyzko 
AT&T Bell Laboratories 
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Chapter 1 

Classical Cryptography 

1.1 Introduction: Some Simple Cryptosystems 

The fundamental objective of cryptography is to enable two people, usually referred to as Alice and 
Bob, to communicate over an insecure channel in such a way that an opponent, Oscar, cannot understand 
what is being said. This channel could be a telephone line or computer network, for example. The 
information that Alice wants to send to Bob, which we call "plaintext," can be English text, numerical 
data, or anything at all — its structure is completely arbitrary. Alice encrypts the plaintext, using a 
predetermined key, and sends the resulting ciphertext over the channel. Oscar, upon seeing the 
ciphertext in the channel by eavesdropping, cannot determine what the plaintext was; but Bob, who 
knows the encryption key, can decrypt the ciphertext and reconstruct the plaintext. 

This concept is described more formally using the following mathematical notation. 

DEFINITION 1.1 A cryptosystem is a five-tuple f^ 5 ? where the following conditions are 

satisfied: 

1. *P is a finite set of possible plaintexts 

2. I* is a finite set of possible ciphertexts 

3. /C , the keyspace, is a finite set of possible keys 

4. For each there is an encryption rule e £ £ and a corresponding decryption rule 

K 

^ ^ \ Each^K ■ ^ ^ 0 and&K * & ^ 'P are functions such that d (e (x)) = x 

J K K 

for every plaintext 'X £ ^ 
The main property is property 4. It says that if a plaintext x is encrypted using e , and the resulting 

K 

ciphertext is subsequently decrypted using d , then the original plaintext x results. 
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Alice and Bob will employ the following protocol to use a specific cryptosystem. First, they choose a 

random key - This is done when they are in the same place and are not being observed by 

Oscar, or, alternatively, when they do have access to a secure channel, in which case they can be in 
different places. At a later time, suppose Alice wants to communicate a message to Bob over an insecure 
channel. We suppose that this message is a string 



X = X\X% - ■ *X 



n 



for some integer n>l, where each plaintext symbol I ^ ^ , 1 < i < n. Each x. is encrypted using the 
encryption rule e specified by the predetermined key K. Hence, Alice computes y = e (x ), 1 < i < n, 

K i K i 

and the resulting ciphertext string 

y = 3/13/2 • • -Vn 

is sent over the channel. When Bob receives y y . . . y , he decrypts it using the decryption function d , 
obtaining the original plaintext string, See Figure 1 . 1 for an illustration of the communication 

channel. 




Figure 1.1 The Communication Channel 

Clearly, it must be the case that each encryption function e is an injective function (i.e., one-to-one), 
otherwise, decryption could not be accomplished in an unambiguous manner. For example, if 

V = ?k(zi) -eK{x 2 ) 

where x^ ^ x , then Bob has no way of knowing whether y should decrypt to x or x . Note that if 

V = c , it follows that each encryption function is a permutation. That is, if the set of plaintexts and 
ciphertexts are identical, then each encryption function just rearranges (or permutes) the elements of this 
set. 

1.1.1 The Shift Cipher 

In this section, we will describe the Shift Cipher, which is based on modular arithmetic. But first we 
review some basic definitions of modular arithmetic. 
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DEFINITION 1.2 Suppose a and b are integers, and m is a positive integer. Then we write a = b (mod 
in) ifm divides b - a. The phrase a = b (mod m) is read as "a is congruent to b modulo m. " The integer 
m is called the modulus. 

Suppose we divide a and b by m, obtaining integer quotients and remainders, where the remainders are 
between 0 and m - 1 . That is, a = q m + r and b = q^m + r , where 0 < r <m- 1 and 0 < r^ < m - I. 

Then it is not difficult to see that a = b (mod m) if and only if r = r . We will use the notation a mod m 

(without parentheses) to denote the remainder when a is divided by m, i.e., the value r above. Thus a = 

b (mod m) if and only if a mod m = b mod m. If we replace a by a mod m, we say that a is reduced 
modulo m. 

REMARK Many computer programming languages define a mod m to be the remainder in the range -m 
+ 1, . . . , m - 1 having the same sign as a. For example, -18 mod 7 would be -4, rather than 3 as we 
defined it above. But for our purposes, it is much more convenient to define a mod m always to be 
nonnegative. 

We can now define arithmetic modulo m: is defined to be the set {0, . . . , m-1 }, equipped with two 

operations, + and x. Addition and multiplication in *^*tn work exactly like real addition and 
multiplication, except that the results are reduced modulo m. 

For example, suppose we want to compute 11 x 13 in ^1$. As integers, we have 11 x 13 = 143. To 
reduce 143 modulo 16, we just perform ordinary long division: 143 = 8 x 16 + 15, so 143 mod 16 = 15, 

and hence 11 x 13 = 15 in 
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These definitions of addition and multiplication in satisfy most of the familiar rules of arithmetic. 
We will list these properties now, without proof: 

1. addition is closed, i.e., for any ^ ^ ^m* CI + £ S m 

2. addition is commutative, i.e., for any & € a + b = b + a 

3. addition is associative, i.e., for any € ^nj., (a + b) + c = a + (b + c) 

4. 0 is an additive identity, i.e., for any ^ £ ^m, a + 0 = 0 + a = a 

5. the additive inverse of any ^ £ is m-«, i.e., a+(m-a) = (m-a)+a = 0 for any ^ £ ^"t 

6. multiplication is closed, i.e., for any ^i ^ € t 06 G S m 

7. multiplication is commutative, i.e., for any fl t ^ ^ ^m, a& = 



Figure 1.2 Shift Cipher 

8. multiplication is associative, i.e., for any °* ^ ^ ^ ^m, (a£>)c = a(bc) 

9. 1 is a multiplicative identity, i.e., for any ^ £ ^m, « x 1 = 1 x a = a 

10. multiplication distributes over addition, i.e., for any fl iM ^ ^m, (a+b)c = (ac) + (be) 
and a(b + c) (ab) + (ac). 

Properties 1, 3-5 say that *$*m forms an algebraic structure called a group with respect to the addition 
operation. Since property 2 also holds, the group is said to be abelian. 

Properties 1-10 establish that is, in fact, a ring. We will see many other examples of groups and 

rings in this book. Some familiar examples of rings include the integers, 2/; the real numbers, and 

the complex numbers, C However, these are all infinite rings, and our attention will be confined 
almost exclusively to finite rings. 
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Since additive inverses exist in we can also subtract elements in ^rn. We define a - b in to 
be a + m - b mod in. Equivalently, we can compute the integer a - b and then reduce it modulo in. 

For example, to compute 11 - 18 in ^31, we can evaluate 11 + 13 mod 31 = 24. Alternatively, we can 
first subtract 18 from 11, obtaining -7 and then compute -7 mod 31 = 24. 



We present the Shift Cipher in Figure 1.2. It is defined over ^Eft since there are 26 letters in the 
English alphabet, though it could be defined over ^*rn for any modulus m. It is easy to see that the Shift 
Cipher forms a cryptosystem as defined above, i.e., d (e (x)) = x for every -£ ^ ^20 ♦ 

REMARK For the particular key K = 3, the cryptosystem is often called the Caesar Cipher, which was 
purportedly used by Julius Caesar. 

We would use the Shift Cipher (with a modulus of 26) to encrypt ordinary English text by setting up a 
correspondence between alphabetic characters and residues modulo 26 as follows: A++0,B++ 1, . . . ,Z 
25. Since we will be using this correspondence in several examples, let's record it for future use: 



A 


B 


C 


D 


E 


F 


Q 


H 


I 


J 


K 


L 


Af 


0 


1 


2 


3 


4 


b 


6 


7 


8 


<i 


10 


11 


12 





0 


F 


Q 


1 R 


1 5 I 


T 


U 


V 


W 


X 


Y 


z 


13 


14 


15 


ic 


17 


18 


19 


20 


21 


22 


23 


24 


25 



A small example will illustrate. 

Example 1.1 

Suppose the key for a Shift Cipher is K = 11, and the plaintext is 

wewillmeetatmidnight . 

We first convert the plaintext to a sequence of integers using the specified correspondence, obtaining the 
following: 



22 4 22 8 
0 19 12 8 



11 11 12 4 4 19 
3 13 8 6 7 19 



Next, we add 1 1 to each value, reducing each sum modulo 26: 
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7 15 7 19 22 22 23 15 15 4 
11 4 23 19 14 24 19 17 18 4 

Finally, we convert the sequence of integers to alphabetic characters, obtaining the ciphertext: 

HPHTWWXPPELEXTOYTRSE 

To decrypt the ciphertext, Bob will first convert the ciphertext to a sequence of integers, then subtract 1 1 
from each value (reducing modulo 26), and finally convert the sequence of integers to alphabetic 
characters. 

REMARK In the above example we are using upper case letters for ciphertext and lower case letters for 
plaintext, in order to improve readability. We will do this elsewhere as well. 

If a cryptosystem is to be of practical use, it should satisfy certain properties. We informally enumerate 
two of these properties now. 

1. Each encryption function e and each decryption function d should be efficiently 
computable. 

2. An opponent, upon seeing a ciphertext string y, should be unable to determine the key K that 
was used, or the plaintext string x. 

The second property is defining, in a very vague way, the idea of "security." The process of attempting 
to compute the key K, given a string of ciphertext y, is called cryptanalysis. (We will make these 
concepts more precise as we proceed.) Note that, if Oscar can determine K, then he can decrypt y just as 
Bob would, using d . Hence, determining K is at least as difficult as determining the plaintext string x. 

We observe that the Shift Cipher (modulo 26) is not secure, since it can be cryptanalyzed by the 
obvious method of exhaustive key search. Since there are only 26 possible keys, it is easy to try every 
possible decryption rule d v until a "meaningful" plaintext string is obtained. This is illustrated in the 

following example. 
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Example 1.2 

Given the ciphertext string 

JBCRCLQRWCRVNB JENBWRWN, 
we successively try the decryption keys d , d^ etc. The following is obtained: 

jbcrclqrwcrvnb jenbwrwn 
i ab qb kp q vb quma i dma v q vm 
hzapa jopuaptlzhclzupul 
gy zozinot zoskygbkytotk 
f xynyhmnsynr jxf a jxsns j 
ewxmxglmrxmqiweziwrmr i 
dvwlwf klqwlphvdyhvqlqh 
cuvkve j kpvkogucxgupkpg 
btu judi jou jnftbwf to jof 
ast it chin time saves nine 

At this point, we have determined the plaintext and we can stop. The key is K = 9. 

On average, a plaintext will be computed after trying 26/2 =13 decryption rules. 
: — - — : — 



Figure 1.3 Substitution Cipher 

As the above example indicates, a necessary condition for a cryptosystem to be secure is that an 
exhaustive key search should be infeasible; i.e., the keyspace should be very large. As might be 
expected, a large keyspace is not sufficient to guarantee security. 
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1.1.2 The Substitution Cipher 

Another well-known cryptosystem is the Substitution Cipher. This cryptosystem has been used for 
hundreds of years. Puzzle "cryptograms" in newspapers are examples of Substitution Ciphers. This 
cipher is defined in Figure 1.3. 

Actually, in the case of the Substitution Cipher, we might as well take *P and C both to be the 26- 

letter English alphabet. We used in the Shift Cipher because encryption and decryption were 
algebraic operations. But in the Substitution Cipher, it is more convenient to think of encryption and 
decryption as permutations of alphabetic characters. 

Here is an example of a "random" permutation, 7t, which could comprise an encryption function. (As 
before, plaintext characters are written in lower case and ciphertext characters are written in upper case.) 



a 1 


h 


c 


d 




1 / 


9 


k 1 


i 


1 1 


k 


I 


m 


X \ 


N 


Y 


A 


H 


1 P 


O 


£| 


Z 


Q \ 


W 


B 


T 


n 


6 


P 


e 


f 


s 


t 


u 


V 


w 


X 


y 


s 


S 


F 


L 


R 


C 


V 


M 


17 


E 


K 


J 


D 


I 



Thus, e^(a) = X, eJJ?) = N, etc. The decryption function is the inverse permutation. This is formed by 
writing the second lines first, and then sorting in alphabetical order. The following is obtained: 
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C 
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L 


M 


d 
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r 
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V 


u 


h 


e 


z 




w 




P 




t 


N 


0 


P 


Q 


R 
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T 
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V 


w 






Y 




Z 


b 


9 


I 


3 


? 


n 


m 




9 


k 


i4 




c 


i 



Hence, d (A) = d, d (B) = I, etc. 

As an exercise, the reader might decrypt the following ciphertext using this decryption function: 

MGZVYZLGHCMH JMYXSSFMNHAHYCDLMHA . 
A key for the Substitution Cipher just consists of a permutation of the 26 alphabetic characters. The 

26 

number of these permutations is 26!, which is more than 4.0 x 10 , a very large number. Thus, an 
exhaustive key search is infeasible, even for a computer. However, we shall see later that a Substitution 
Cipher can easily be cryptanalyzed by other methods. 

1 .1 .3 The Affine Cipher 
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The Shift Cipher is a special case of the Substitution Cipher which includes only 26 of the 26 ! 
possible permutations of 26 elements. Another special case of the Substitution Cipher is the Affine 
Cipher, which we describe now. In the Affine Cipher, we restrict the encryption functions to functions 
of the form 

e{x) = ax + b mod 26, 

Q % b £ ♦ These functions are called affine functions, hence the name Affine Cipher. (Observe 
that when a = 1, we have a Shift Cipher.) 

In order that decryption is possible, it is necessary to ask when an affine function is injective. In other 
words, for any £/ , we want the congruence 

ax + b = y (mod 26) 

to have a unique solution for x. This congruence is equivalent to 

ax = y - h (mod 26). 



Now, as y varies over ^20, so, too, does y - b vary over ^26. Hence, it suffices to study the congruence 
ax = y(mod26)V € ^2$. 

We claim that this congruence has a unique solution for every y if and only if gcd(a, 26) = 1 (where the 
gcd function denotes the greatest common divisor of its arguments). First, suppose that gcd(a, 26) = d > 

1 . Then the congruence ax = 0 (mod 26) has (at least) two distinct solutions in namely x - 0 and x 
= 26/ 'd. In this case e(x) = ax + b mod 26 is not an injective function and hence not a valid encryption 
function. 

For example, since gcd(4, 26) = 2, it follows that 4x + 7 is not a valid encryption function: x and x + 13 
will encrypt to the same value, for any % £ ^20 - 

Let's next suppose that gcd(<2, 26) = 1. Suppose for some x^ and x 2 that 

axi = QX2 (mod 26), 

Then 
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a{Xi - x 2 ) = 0 (mod 26), 

and thus 

26 | a{x { - i 2 ). 

We now make use of a property of division: if gcd(«, b) = 1 and a I be, then a I c. Since 261 a(x - x 2 ) and 
gcd(a, 26) = 1, we must therefore have that 

26| (ii -x 2 ) 

i.e., = x 2 (mod 26). 

At this point we have shown that, if gcd(«, 26) = 1 , then a congruence of the form ax = y (mod 26) has, 

at most, one solution in Hence, if we let x vary over ^26, then ax mod 26 takes on 26 distinct 

values modulo. 26. That is, it takes on every value exactly once. It follows that, for any 
congruence ax = y (mod 26) has a unique solution for y. 

There is nothing special about the number 26 in this argument. The following result can be proved in an 
analogous fashion. 

THEOREM 1.1 

The congruence ax = b (mod m) has a unique solution % £ ^mfor every ^ ^ if and only if 
gcd(a, m) - 1 . 

Since 26 = 2 x 13, the values of a € such that gcd(<2, 26) = 1 are a = 1, 3, 5, 7, 9, 11, 15, 17, 19, 

21, 23, and 25. The parameter b can be any element in Hence the Affine Cipher has 12 x 26 = 
312 possible keys. (Of course, this is much too small to be secure.) 

Let's now consider the general setting where the modulus is m. We need another definition from number 
theory. 
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DEFINITION 1.3 Suppose a> 1 and m > 2 are integers. If gcd(a, m) = l, then we say that a and m are 

relatively prime. The number of integers in that are relatively prime to m is often denoted by (|)(m) 
(function is called the Euler phi-function). 

A well-known result from number theory gives the value of (|)(m) in terms of the prime power 
factorization of m. (An integer p > 1 is prime if it has no positive divisors other than 1 and p. Every 

integer m > 1 can be factored as a product of powers of primes in a unique way. For example, 60 = 2 x 

3x5 and 98 = 2 x 7 .) We record the formula for (j)(m) in the following theorem. 

THEOREM 1.2 

Suppose 

n 

where the p's are distinct primes and e.> 0, I < i <n. Then 

n 

Mm) = U(Pi Ci -Pr 1 )- 

i=l 

It follows that the number of keys in the Affine Cipher over is m§(m), where (|)(m) is given by the 
formula above. (The number of choices for b is m, and the number of choices for a is §(m), where the 
encryption function is e(x) = ax + b.) For example, when m = 60, (|)(60) = 2x2x4 = 16 and the number 
of keys in the Affine Cipher is 960. 

Let's now consider the decryption operation in the Affine Cipher with modulus m = 26. Suppose that 
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gcd(a, 26) = 1. To decrypt, we need to solve the congruence y = ax + b (mod 26) for x. The discussion 

above establishes that the congruence will have a unique solution in but it does not give us an 
efficient method of finding the solution. What we require is an efficient algorithm to do this. 
Fortunately, some further results on modular arithmetic will provide us with the efficient decryption 
algorithm we seek. 

We require the idea of a multiplicative inverse. 

DEFINITION 1.4 Suppose & ^ ^m. The multiplicative inverse of a is an element a 1 ^ ^n* such 
that ad 1 =a' l a=l (mod m). 

By similar arguments to those used above, it can be shown that a has a multiplicative inverse modulo m 

if and only if gcd(a, m) = 1 ; and if a multiplicative inverse exists, it is unique. Also, observe that if b = a' 
l l Z 

, then a = b . If p is prime, then every non-zero element of P has a multiplicative inverse. A ring in 
which this is true is called afield. 

In a later section, we will describe an efficient algorithm for computing multiplicative inverses in *^*tn 

for any m. However, in trial and error suffices to find the multiplicative inverses of the elements 
relatively prime to 26: l" 1 = 1, 3" 1 = 9, 5" 1 = 21, 7" 1 = 15, ll" 1 = 19, IT 1 = 23, and 25" 1 = 25. (All of these 
can be verified easily. For example, 7x15 = 105 = 1 mod 26, so 7" 1 = 15.) 

Consider our congruence y = ax + b (mod 26). This is equivalent to 

ax = y - b (mod 26), 

Since gcd(a, 26) = 1, a has a multiplicative inverse modulo 26. Multiplying both sides of the congruence 
by a" 1 , we obtain 

a~ l {az) = a~ l {y - h) (mod 26). 



t. . 

uMniMI 

Figure 1.4 Affine Cipher 

By associativity of multiplication modulo 26, 

a~ l (ax) = (u~ 1 a)x = It = x. 
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Consequently, x = a A (y - b) (mod 26). This is an explicit formula for x, that is, the decryption function is 

d(y) = a~ l {y - b) mod 26. 

So, finally, the complete description of the Affine Cipher is given in Figure 1.4. Let's do a small 
example. 

Example 1.3 

Suppose that K = (7, 3). As noted above, 7" 1 mod 26 = 15. The encryption function is 

vk(x) = 7x + 3, 

and the corresponding decryption function is 

d K {y) = 15(3, " 3) = 15y - 19, 

where all operations are performed in It is good check to verify that dieix)) = x for all 

K K 

X 6 ^Jfi. Computing in ^26, we get 

= 15(7* + 3) - 19 
= x + 45 - 19 
= x. 



fen. b. w-ta ■ B--h-k 

Figure 1.5 Vigenere Cipher 

To illustrate, let's encrypt the plaintext hot. We first convert the letters h, o, t to residues modulo 26. 
These are respectively 7, 14, and 19. Now, we encrypt: 

7x7 + 3mod26 = 52 mod 26 =0 
7 x 14 + 3 mod 26 = 101 mod 26 = 23 
7x19 + 3 mod 26 = 136 mod 26 =6. 
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So the three ciphertext characters are 0, 23, and 6, which corresponds to the alphabetic string AXG. We 
leave the decryption as an exercise for the reader. 

1 .1 .4 The Vigenere Cipher 

In both the Shift Cipher and the Substitution Cipher, once a key is chosen, each alphabetic character is 
mapped to a unique alphabetic character. For this reason, these cryptosystems are called 
monoalphabetic. We now present in Figure 1.5 a cryptosystem which is not monoalphabetic, the well- 
known Vigenere Cipher. This cipher is named after Blaise de Vigenere, who lived in the sixteenth 
century. 

Using the correspondence A <-+ 0, B <-+ 1, . . ., Z 25 described earlier, we can associate each key K 
with an alphabetic string of length m, called a keyword. The Vigenere Cipher encrypts m alphabetic 
characters at a time: each plaintext element is equivalent to m alphabetic characters. 

Let's do a small example. 

Example 1.4 

Suppose m = 6 and the keyword is CIPHER. This corresponds to the numerical equivalent K = (2, 8, 15, 
7, 4, 17). Suppose the plaintext is the string 

thiscryptosystemisnot secure . 

We convert the plaintext elements to residues modulo 26, write them in groups of six, and then "add" 
the keyword modulo 26, as follows: 

19 7 8 18 2 17 24 15 19 14 IS 24 
2 S 15 7 4 17 2 8 15 7 4 17 

21 15 23 25 6 8 0 23 8 21 22 15 

18 19 4 12 B IS 13 14 19 IS 4 2 
2 8 15 7 4 17 2 8 15 7 4 17 

20 1 19 19 12 9 15 22 8 25 S 19 

20 17 4 
2 8 15 
22 25 19 

The alphabetic equivalent of the ciphertext string would thus be: 
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To decrypt, we can use the same keyword, but we would subtract it modulo 26 instead of adding. 

Observe that the number of possible keywords of length m in a Vigenere Cipher is 26 m , so even for 
relatively small values of m, an exhaustive key search would require a long time. For example, if we 

take m = 5, then the keyspace has size exceeding 1.1 x 10 . This is already large enough to preclude 
exhaustive key search by hand (but not by computer). 

In a Vigenere Cipher having keyword length m, an alphabetic character can be mapped to one of m 
possible alphabetic characters (assuming that the keyword contains m distinct characters). Such a 
cryptosystem is called poly alphabetic. In general, cryptanalysis is more difficult for polyalphabetic than 
for monoalphabetic cryptosy stems. 

1.1.5 The Hill Cipher 

In this section, we describe another polyalphabetic cryptosystem called the Hill Cipher. This cipher was 

invented in 1929 by Lester S. Hill. Let m be a positive integer, and define . The idea 

is to take m linear combinations of the m alphabetic characters in one plaintext element, thus producing 
the m alphabetic characters in one ciphertext element. 

For example, if m = 2, we could write a plaintext element as x = (x^, * ) and a ciphertext element as y = 
(y , y ). Here, y would be a linear combination of jc and x , as would y . We might take 

yi - llx\ + 3^2 
y 2 ~ Sxi + 7x2- 

Of course, this can be written more succinctly in matrix notation as follows: 
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In general, we will take an m x m matrix K as our key. If the entry in row i and column j of K is k. ., then 
we write K = (k ). For x = (jc, , . . . , x ) £ 7^ and ^ C JC, we compute y = e (x) = (Y , . . . , y ) as 

i,j 1 m '■Kim 

follows: 

■ ■ ■ ^l ( m ^ 

+ 

In other words, y = x/T. 

We say that the ciphertext is obtained from the plaintext by means of a linear transformation. We have 
to consider how decryption will work, that is, how x can be computed from y. Readers familiar with 

linear algebra will realize that we use the inverse matrix K l to decrypt. The ciphertext is decrypted using 

the formula x = yK l . 

Here are the definitions of necessary concepts from linear algabra. If A = (a . .) is an $ x W matrix and 
B = (b ) is an m x n matrix, then we define the matrix product AB = (c ) by the formula 

JyfC l,K 

m 

for ' — * — ' and 1 <k<n. That is, the entry in row i and column k of AB is formed by taking the z'th 
row of A and the kth column of B, multiplying corresponding entries together, and summing. Note that 

AB is an & ^ ^ matrix. 

This definition of matrix multiplication is associative (that is, (AB)C = A(BC) but not, in general, 
commutative (it is not always the case that AB = BA, even for square matrices A and B). 

The m x m identity matrix, denoted by / , is the m x m matrix with l's on the main diagonal and O's 

m 

elsewhere. Thus, the 2 x 2 identity matrix is 
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/ is termed an identity matrix since AI =A for any ^ X 771 matrix A and / B = B for any m x n 

m m m 

matrix B. Now, the inverse matrix to an m x m matrix A (if it exists) is the matrix A" 1 such that AA~ l = A' 
1 A=I . Not all matrices have inverses, but if an inverse exists, it is unique. 

m 

With these facts at hand, it is easy to derive the decryption formula given above: since y = xK, we can 
multiply both sides of the formula by K l , obtaining 

yJt" 1 = {xK)K~ l = x{KK~ l ) = xl m = x, 

(Note the use of the associativity property.) 

We can verify that the encryption matrix above has an inverse in ^26 ■ 

-i 



/ 11 S \ 1 / 7 18 \ 
^3 7 } ~ ^ 25 U ) 



since 



/118U7 18\ _ /ll x 7 + 8 x 23 11 x 18 + 8 x 11\ 
^3 7/\23 1lJ\3x7 + 7x 23 3 x 18+ 7 x 11 ) 

" \182 131 ) 

= (oi)' 

Remember that all arithmetic operations are done modulo 26.) 

Let's now do an example to illustrate encryption and decryption in the Hill Cipher. 

Example 1.5 

Suppose the key is 
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« = ?)• 

From the computations above, we have that 

**-(; !?) 

Suppose we want to encrypt the plaintext july. We have two elements of plaintext to encrypt: (9, 20) 
(corresponding to ju) and (11, 24) (corresponding to ly). We compute as follows: 

^ = (99 + 60,72 + 140) = (3,4) 



= (121 + 72,88+ 168} = (11,22). 

Hence, the encryption of july is DELW. To decrypt, Bob would compute: 
and 

Hence, the correct plaintext is obtained. 

At this point, we have shown that decryption is possible if K has an inverse. In fact, for decryption to be 
possible, it is necessary that K has an inverse. (This follows fairly easily from elementary linear algebra, 
but we will not give a proof here.) So we are interested precisely in those matrices K that are invertible. 

The invertibility of a (square) matrix depends on the value of its determinant. To avoid unnecessary 
generality, we will confine our attention to the 2 x 2 case. 
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DEFINITION 1.5 The determinant of the 2x2 matrix A = {a. .) is the value 

REMARK The determinant of an m x m square matrix can be computed by elementary row operations: 
see any text on linear algebra. 

Two important properties of determinants are that det / = 1 ; and the multiplication rule det(Afi) = det A 
x det B. 
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A real matrix K has an inverse if and only if its determinant is non-zero. However, it is important to 

remember that we are working over ^2fi . The relevant result for our purposes is that a matrix K has an 
inverse modulo 26 if and only if gcd (det K, 26) = 1 . 

We briefly sketch the proof of this fact. First suppose that gcd(det K, 26) = 1 . Then det K has an inverse 
in ™2A ■ Now, for <i<m, 1 <j<m, define K.. to be the matrix obtained from K by deleting the z'th row 

and the j'th column. Define a matrix K* to have as its (i, ^-entry the value (-1) 1+J det K... (K* is called the 
adjoint matrix of K.) Then it can be shown that 



./' 



K- 1 = (det K)~ l K\ 

Hence, K is invertible. 

Conversely, suppose Khas an inverse, K l . By the multiplication rule for determinants, we have 

1 = det / = det(/OT 1 ) = det K dot K~ 1 , 

Hence, det K is invertible in 

REMARK The above formula for K l is not very efficient computationally, except for small values of m 
(say m = 2, 3). For larger m, the preferred method of computing inverse matrices would involve 
elementary row operations. 

In the 2x2 case, we have the following formula: 

THEOREM 1.3 



Suppose A = (a. .) is a 2 x 2 matrix over ^2fi such that det A = a a - a a is invertible. Then 

Iryl 1*1 . ^ 1 . ^L. ^ % 1 
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Let's look again at the example considered earlier. First, we have 

det ^ = 11 x 7 - S x 3 mod 26 

= 77- 24 mod 26 
= 53 mod 26 
= 1. 

Now, l" 1 mod 26 = 1, so the inverse matrix is 



/ 11 8 \ 1 / 7 18 \ 
\ 3 7 ) { 23 LI } ' 



as we verified earlier. 

We now give a precise description of the Hill Cipher over in Figure 1.6. 
1.1.6 The Permutation Cipher 

All of the cryptosystems we have discussed so far involve substitution: plaintext characters are replaced 
by different ciphertext characters. The idea of a permutation cipher is to keep the plaintext characters 
unchanged, but to alter their positions by rearranging them. The Permutation Cipher (also known as 
the Transposition Cipher) has been in use for hundreds of years. In fact, the distinction between the 
Permutation Cipher and the Substitution Cipher was pointed out as early as 1563 by Giovanni Porta. 
A formal definition is given in Figure 1.7. 

As with the Substitution Cipher, it is more convenient to use alphabetic characters as opposed to 
residues modulo 26, since there are no algebraic operations being performed in encryption or decryption. 

Here is an example to illustrate: 



Figure 1.6 Hill Cipher 
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Figure 1.7 Permutation Cipher 
Example 1.6 

Suppose m = 6 and the key is the following permutation n: 



1 


2 


3 


4 


5 


e 


3 


5 


1 


6 


4 


2 



Then the inverse permutation n~ is the following: 



1 


2 


3 


4 


5 


f> 


3 


G 


1 


T> 


2 


4 



Now, suppose we are given the plaintext 

shesellsseashellsbytheseashore . 
We first group the plaintext into groups of six letters: 

shesel | lsseas | hellsb | ythese | ashore 
Now each group of six letters is rearranged according to the permutation 7t, yielding the following: 

EESLSH | SALSES | LSHBLE | HSYEET | HRAEOS 

So, the ciphertext is: 

EESLSHSALSESLSHBLEHSYEETHRAEOS . 
The ciphertext can be decrypted in a similar fashion, using the inverse permutation ri . 

In fact, the Permutation Cipher is a special case of the Hill Cipher. Given a permutation of 71 of the set 

{ 1, . . . , m}, we can define an associated mxm permutation matrix K = (k. .) according to the formula 

71 i, j 
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' ] 0 other w ise. 



(A permutation matrix is a matrix in which every row and column contains exactly one "1," and all other 
values are "0." A permutation matrix can be obtained from an identity matrix by permuting rows or 
columns.) 

It is not difficult to see that Hill encryption using the matrix K is, in fact, equivalent to permutation 

encryption using the permutation 7C. Moreover, ^# = ^ir -h, i.e., the inverse matrix to K is the 

permutation matrix defined by the permutation jc" 1 . Thus, Hill decryption is equivalent to permutation 
decryption. 

For the permutation % used in the example above, the associated permutation matrices are 



and 



k. = 



a-.- 1 = 



f 0 


0 


1 


0 


0 


o \ 


0 


0 


0 


0 


0 


1 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


1 


0 


0 


0 


0 




0 


0 


1 


0 


0 / 


/ 0 


0 


1 


0 


0 


0 \ 


0 


0 


0 


0 


1 


0 


1 


0 


0 


0 


0 


0 


0 


0 


0 


0 


0 


1 


0 


0 


0 


1 


0 


0 


Vo 


1 


0 


0 


0 





The reader can verify that the product of these two matrices is the identity. 
1.1.7 Stream Ciphers 

In the cryptosystems we have studied to this point, successive plaintext elements are encrypted using the 
same key, K. That is, the ciphertext string y is obtained as follows: 
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Cryptosystems of this type are often called block ciphers. 

An alternative approach is to use what are called stream ciphers. The basic idea is to generate a 
keystream z = z z • • • , and use it to encrypt a plaintext string x = jc jc . . . according to the rule 

y = vm - - = e*, (xi)e^(x 2 ) 

A stream cipher operates as follows. Suppose is the key and x^ 2 ... is the plaintext string. 

The function/^, is used to generate z. (the zth element of the keystream), where ^. is a function of the key, 
K, and the first i - 1 plaintext characters: 

The keystream element z. is used to encrypt x., yielding 2/* ). So, to encrypt the plaintext 

string . . . , we would successively compute 



Decrypting the ciphertext string y y . . . can be accomplished by successively computing 
Here is a formal mathematical definition: 
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DEFINITION 1.6 A Stream Cipher is a tuple £^ A ^^M*) w here the following conditions 

are satisfied: 

1. V is a finite set of possible plaintexts 

2. C is a finite set of possible ciphertexts 

3. ^C, f/ze keyspace, is a finite set of possible keys 

4. ^ w a finite set called the key stream alphabet 

5. P — {flyfiy ■ ■ ■) j s fh e key stream generator. For i > 1, 

/i : K x P 1 " 1 -> C. 

6. For eac/z £ € £ , there is an encryption rule &z ^ & and a corresponding decryption rule 
d z £ *D. g z . — >■ C an d C ^ are functions such that d (e (x)) = x for every 

z z 

plaintext ^ ^ P. 

We can think of a block cipher as a special case of a stream cipher where the keystream is constant: z. = 
A' for all /> 1. 

Here are some special types of stream ciphers together with illustrative examples. A stream cipher is 
synchronous if the keystream is independent of the plaintext string, that is, if the keystream is generated 
as a function only of the key K. In this situation, we think of K as a "seed" that is expanded into a 
keystream z z 

A stream cipher is periodic with period d if Z = z. for all integers i>\. The Vigenere Cipher with 

keyword length m can be thought of as a periodic stream cipher with period m. In this case, the key is K 
= (k . . . , k ). K itself provides the first m elements of the keystream: z = k , 1 < i < m. Then the 

1 m ii 

keystream just repeats itself from that point on. Observe that in this stream cipher setting for the 
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Vigenere Cipher, the encryption and decryption functions are identical to those used in the Shift 
Cipher: e (x) = x + z and d (y) =y - z. 

z z 

Stream ciphers are often described in terms of binary alphabets, i.e., F ~ £ ~ £ — %2 . in this 
situation, the encryption and decryption operation are just addition modulo 2: 

e A {x) = x +■ z mod 2 

and 

d t {y) = y + z mod 2. 

If we think of "0" as representing the boolean value "false" and "1" as representing "true," then addition 
modulo 2 corresponds to the exclusive-or operation. Hence, encryption (and decryption) can be 
implemented very efficiently in hardware. 

Let's look at another method of generating a (synchronous) keystream. Suppose we start with (£,..., 
k ) and let z = k , 1 < i < m (as before), but we now generate the keystream using a linear recurrence 

mii 

relation of degree m: 

m—l 



Zi+m - ^2 CjZi+j mod 2, 

j=0 



where c , . . . , Cfn ~ 1 are predetermined constants. 



REMARK This recurrence is said to have degree m since each term depends on the previous m terms. It 
is linear because z is a linear function of previous terms. Note that we can take c n = 1 without loss of 

i+m 1 0 

generality, for otherwise the recurrence will be of degree m - 1 . 
Here, the key K consists of the 2m values k,...,k,c,...,c .If 

1 m 0 m-1 

(A],. . tifcro) = (0,- > - ,0), 

then the keystream consists entirely of 0's. Of course, this should be avoided, as the ciphertext will then 
be identical to the plaintext. However, if the constants c , . . . , c are chosen in a suitable way, then 

A 0 m-1 J 
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any other initialization vector (k , . . . , k ) will give rise to a periodic keystream having period 2 m - 1. So 

a "short" key can give rise to a keystream having a very long period. This is certainly a desirable 
property: we will see in a later section how the Vigenere Cipher can be cryptanalyzed by exploiting the 
fact that the keystream has short period. 

Here is an example to illustrate. 

Example 1.7 

Suppose m = 4 and the keystream is generated using the rule 

= z i + 2t+i niod 2 

(i > 1). If the keystream is initialized with any vector other than (0, 0, 0, 0), then we obtain a keystream 
of period 15. For example, starting with (1, 0, 0, 0), the keystream is 

1,0, 0,0,1,0,0,1,1, 0,1,0, 1,1,1,. ... 

Any other non-zero initialization vector will give rise to a cyclic permutation of the same keystream. 

Another appealing aspect of this method of keystream generation is that the keystream can be produced 
efficiently in hardware using a linear feedback shift register, or LFSR. We would use a shift register 
with m stages. The vector (k....,k ) would be used to initialize the shift register. At each time unit, 

1 m 

the following operations would be performed concurrently: 

1. k^ would be tapped as the next keystream bit 

2. k,...,k would each be shifted one stage to the left 

2 m 

3. the "new" value of k would be computed to be 

m 

(this is the "linear feedback"). 



Figure 1.8 A Linear Feedback Shift Register 
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■■■■ !-■ 

Figure 1.9 Autokey Cipher 

Observe that the linear feedback is carried out by tapping certain stages of the register (as specified by 
the constants c. having the value "1") and computing a sum modulo 2 (which is an exclusive-or). This is 

illustrated in Figure 1.8, where we depict the LFSR that will generate the keystream of Example 1.7. 

An example of a non- synchronous stream cipher that is known as the Autokey Cipher is given in Figure 
1.9. It is apparently due to Vigenere. 

The reason for the terminology "autokey" is that the plaintext is used as the key (aside from the initial 
"priming key" K). Here is an example to illustrate: 
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Example 1.8 

Suppose the key is K = 8, and the plaintext is 

rendezvous . 
We first convert the plaintext to a sequence of integers: 

17 4 13 3 4 25 21 14 20 18 
The key stream is as follows: 

8 17 4 13 3 4 25 21 14 20 
Now we add corresponding elements, reducing modulo 26: 

25 21 17 16 7 3 20 9 8 12 
In alphabetic form, the ciphertext is: 

ZVRQHDUJIM. 

Now let's look at how Alice decrypts the ciphertext. She will first convert the alphabetic string to the 
numeric string 



25 21 17 16 7 3 20 9 8 12 



Then she can compute 



*i = ds(25) = 25-8 mod 26 = 17. 
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Next, 

■x 2 = d i7 {21) = 21-17 mod 26 = 4, 

and so on. Each time she obtains another plaintext character, she also uses it as the next keystream 
element. 

Of course, the Autokey Cipher is insecure since there are only 26 possible keys. 

In the next section, we discuss methods that can be used to cryptanalyze the various cryptosystems we 
have presented. 

1 .2 Cryptanalysis 

In this section, we discuss some techniques of cryptanalysis. The general assumption that is usually 
made is that the opponent, Oscar, knows the cryptosystem being used. This is usually referred to as 
Kerckhoff's principle. Of course, if Oscar does not know the cryptosystem being used, that will make his 
task more difficult. But we do not want to base the security of a cryptosystem on the (possibly shaky) 
premise that Oscar does not know what system is being employed. Hence, our goal in designing a 
cryptosystem will be to obtain security under Kerckhoff's principle. 

First, we want to differentiate between different levels of attacks on cryptosystems. The most common 
types are enumerated as follows. 

Ciphertext-only 

The opponent possesses a string of ciphertext, y. 
Known plaintext 

The opponent possesses a string of plaintext, x, and the corresponding ciphertext, y. 
Chosen plaintext 

The opponent has obtained temporary access to the encryption machinery. 

Hence he can choose a plaintext string, x, and construct the corresponding ciphertext 

string, y. 

Chosen ciphertext 

The opponent has obtained temporary access to the decryption machinery. Hence he can 
choose a ciphertext string, y, and construct the corresponding plaintext string, x. 
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In each case, the object is to determine the key that was used. We note that a chosen ciphertext attack is 
relevant to public-key cryptosy stems, which we discuss in the later chapters. 

We first consider the weakest type of attack, namely a ciphertext-only attack. We also assume that the 
plaintext string is ordinary English text, without punctuation or "spaces." (This makes cryptanalysis 
more difficult than if punctuation and spaces were encrypted.) 

Many techniques of cryptanalysis use statistical properties of the English language. Various people have 
estimated the relative frequencies of the 26 letters by compiling statistics from numerous novels, 
magazines, and newspapers. The estimates in Table 1.1 were obtained by Beker and Piper. 

On the basis of the above probabilities, Beker and Piper partition the 26 letters into five groups as 
follows: 

1. E, having probability about 0.120 

2. T, A, O, I, N, S, H, R, each having probabilities between 0.06 and 0.09 

3. D, L, each having probabilities around 0.04 

4. C, U, M, W, F, G, Y, P, B, each having probabilities between 0.015 and 0.028 

5. V, K, J, X, Q, Z, each having probabilities less than 0.01. 

It may also be useful to consider sequences of two or three consecutive letters called digrams and 
trigrams, respectively. The 30 most common digrams are (in decreasing order) TH, HE, IN, ER, AN, RE, 
ED, ON, ES, ST, EN, AT, TO, NT, HA, ND, OU, EA, NG, AS, OR, 77, IS, ET, IT, AR, TE, SE, HI, and 
OF. The twelve most common trigrams are (in decreasing order) THE ING, AND, HER, ERE, ENT, 
THA, NTH, WAS, ETH, FOR, and DTH. 



Table l.lProbabilities of Occurrence of the 26 Letters 



letter 


probability 


letter 


probability 


A 


.082 


N 


.067 


B 


.015 


O 


.075 


C 


.028 


P 


.019 


D 


.043 


Q 


.001 


E 


.127 


R 


.060 


F 


.022 


S 


.063 


G 


.020 


T 


.091 


H 


.061 


U 


.028 


I 


.070 


V 


.010 
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/ 


.002 


W 


.023 


K 


.008 


X 


.001 


L 


.040 


Y 


.020 


M 


.024 


Z 


.001 
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1.2.1 Cryptanalysis of the Affine Cipher 

As a simple illustration of how cryptanalysis can be performed using statistical data, let's look first at 
the Affine Cipher. Suppose Oscar has intercepted the following ciphertext: 

Example 1.9 

Ciphertext obtained from an Affine Cipher 

FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDK 
APRKDLYEVLRHHRH 

The frequency analysis of this ciphertext is given in Table 1.2. 

There are only 57 characters of ciphertext, but this is sufficient to cryptanalyze an Affine Cipher. The 
most frequent ciphertext characters are: R (8 occurrences), D (7 occurrences), E, H, K (5 occurrences 
each), and F, S, V (4 occurrences each). As a first guess, we might hypothesize that R is the encryption 
of e and D is the encryption of t, since e and t are (respectively) the two most common letters. Expressed 
numerically, we have e (4) = 17 and e (19) = 3. Recall that e (x) = ax + b, where a and b are unknowns. 

K K K 

So we get two linear equations in two unknowns: 

ia + b = 17 
19a + b = 3. 



Table 1.2Frequency of Occurrence of the 26 Ciphertext Letters 



letter 


frequency 


letter 


frequency 


A 


2 


N 


1 


B 


1 


0 


1 


C 


0 


P 


2 
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D 


7 


Q 


0 


E 


5 


R 


8 


F 


4 


S 


3 


G 


0 


T 


0 


H 


5 


U 


2 


I 


0 


V 


4 


J 


0 


w 


0 


K 


5 


X 


2 


L 


2 


Y 


1 


M 


2 


Z 


0 



This system has the unique solution a = 6, b = 19 (in ^iG). But this is an illegal key, since gcd(a, 26) = 2 
> 1 . So our hypothesis must be incorrect. 

Our next guess might be that R is the encryption of e and E is the encryption of t. Proceeding as above, 
we obtain a = 13, which is again illegal. So we try the next possibility, that R is the encryption of e and 
H is the encryption of t. This yields a = 8, again impossible. Continuing, we suppose that R is the 
encryption of e and K is the encryption of t. This produces a = 3, b = 5, which is at least a legal key. It 
remains to compute the decryption function corresponding to K = (3, 5), and then to decrypt the 
ciphertext to see if we get a meaningful string of English, or nonsense. This will confirm the validity of 
(3, 5). 

If we perform these operations, we have d(y) = 9y - 19 and the given ciphertext decrypts to yield: 

K 

a Igor ithmsarequitegeneraldef in it ionsof arit 
hmeticpro cesses 

We conclude that we have determined the correct key. 

1.2.2 Cryptanalysis of the Substitution Cipher 

Here, we look at the more complicated situation, the Substitution Cipher. Consider the following 
ciphertext: 



Table 1.3Frequency of Occurrence of the 26 Ciphertext Letters 



letter 


frequency 


letter 


frequency 
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A 


0 


N 


9 


B 


1 


0 


0 


C 


15 


P 


1 


D 


13 


Q 


4 


E 


7 


R 


10 


F 


11 


S 


3 


G 


1 


T 


2 


H 


4 


U 


5 


I 


5 


V 


5 


J 


11 


w 


8 


K 


1 


X 


6 


L 


0 


Y 


10 


M 


16 


Z 


20 



Example 1.10 

Ciphertext obtained from a Substitution Cipher 

YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVE JBTXCDDUMJ 
NDIFEFMDZCDMQZKCEYFC JMYRNCWJCSZREXCHZUNMXZ 
NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZ J J 
XZWGCHSMRNMDHNCMFQCHZ JMX JZWIE JYUCFWD JNZDIR 

The frequency analysis of this ciphertext is given in Table 1.3. 
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Since Z occurs significantly more often than any other ciphertext character, we might conjecture that d 

(Z) = e. The remaining ciphertext characters that occur at least ten times (each) are C, D, F, J, M, R, Y. 
We might expect that these letters are encryptions of (a subset of) t, a, o, i, n, s, h, r, but the frequencies 
really do not vary enough to tell us what the correspondence might be. 

At this stage we might look at digrams, especially those of the form -Z or Z-since we conjecture that Z 
decrypts to e. We find that the most common digrams of this type are DZ and ZW (four times each); NZ 
and ZU (three times each); and RZ, HZ, YZ, FZ, ZR, ZV, ZC, ZD, and ZJ (twice each). Since ZW occurs 
four times and WZ not at all, and W occurs less often than many other characters, we might guess that d i 

(W) = d. Since DZ occurs four times and ZD occurs twice, we would think that D (D) e {r, s, t], but it 

K 

is not clear which of the three possibilities is the correct one. 

If we proceed on the assumption that dJZ) = e and dJW) = d, we might look back at the ciphertext and 

K K 

notice that we have ZR W and RZW both occurring near the beginning of the ciphertext, and RW occurs 
again later on. Since R occurs frequently in the ciphertext and nd is a common digram, we might try d v 

K 

(R) = n as the most likely possibility. 

At this point, we have the following: 

end e ned e 

YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVE JBTXCDDUMJ 

e e n — d en e e 

NDIFEFMDZCDMQZKCEYFC JMYRNCWJCSZREXCHZUNMXZ 

-e n n ed e e — ne-nd-e-e — 

NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZ J J 

-ed n e ed d e — n 

XZWGCHSMRNMDHNCMFQCHZ JMX JZWIE JYUCFWD JNZDIR 
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Our next step might be to try d (N) = h, since NZ is a common digram and ZN is not. If this is correct, 
then the segment of plaintext ne - ndhe suggests that d (C) = a. Incorporating these guesses, we have: 

end a e-a — nedh — e a 

YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVE JBTXCDDUMJ 

h ea e-a a nhad-a-en — a-e-h — e 

NDIFEFMDZCDMQZKCEYFC JMYRNCWJCSZREXCHZUNMXZ 

he-a-n n ed e e — neandhe-e — 

NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZ J J 

-ed-a nh ha a-e ed a-d — he — n 

XZWGCHSMRNMDHNCMFQCHZ JMX JZWIE JYUCFWD JNZDIR 

Now, we might consider M, the second most common ciphertext character. The ciphertext segment 
RNM, which we believe decrypts to nh-, suggests that h- begins a word, so M probably represents a 
vowel. We have already accounted for a and e, so we expect that d(M) = i or o. Since ai is a much more 

likely digram than ao, the ciphertext digram CM suggests that we try d (M) = i first. Then we have: 

iend a-i-e-a-inedhi-e a i- 

YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVE JBTXCDDUMJ 

h i-ea-i-e-a a- i -nhad-a-en — a-e -hi -e 

NDIFEFMDZCDMQZKCEYFC JMYRNCWJCSZREXCHZUNMXZ 

he-a-n in-i ed e e-ineandhe-e — 

NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZ J J 

-ed-a — inhi — hai — a-e-i — ed a-d — he — n 

XZWGCHSMRNMDHNCMFQCHZ JMX JZWIE JYUCFWD JNZDIR 

Next, we might try to determine which letter is encrypted to o. Since o is a common letter, we guess that 
the corresponding ciphertext letter is one of D, F, J, Y. Y seem to be the most likely possibility, 
otherwise, we would get long strings of vowels, namely aoi from CFM or CJM. Hence, let's suppose <f 

(Y) = o. 

The three most frequent remaining ciphertext letters are D, F, J, which we conjecture could decrypt to r, 
s, t in some order. Two occurrences of the trigram NMD suggest that d(D) = s, giving the trigram his in 

the plaintext (this is consistent with our earlier hypothesis that d(D) e {r, s, t}). The segment HNCMF 

E 
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could be an encryption of chair, which would give d(F) = r (and d (H) = c) and so we would then have 

E E 

d(J) = tby process of elimination. Now, we have: 

E 

o-r-r iend-ro — ar ise-a-inedhise — t ass-it 

YIFQFMZRWQFYVECFMDZPCVMRZWNMDZVE JBTXCDDUMJ 

hs-r-r iseasi-e-a-orat ionhadta-en — ace-hi-e 
NDIFEFMDZCDMQZKCEYFC JMYRNCWJCSZREXCHZUNMXZ 

he-asnt-oo-in-i-o-redso-e-ore-ineandhesett 
NZUCDRJXYYSMRTMEYIFZWDYVZVYFZUMRZCRWNZDZ J J 

-ed-ac-inhischair-acet i-ted — to-ardsthes-n 
XZWGCHSMRNMDHNCMFQCHZ JMX JZWIE JYUCFWD JNZDIR 

It is now very easy to determine the plaintext and the key for Example 1.10. The complete decryption is 
the following: 

Our friend from Paris examined his empty glass with surprise, as if evaporation had taken 

place while he wasn't looking. I poured some more wine and he settled back in his chair, 

l 

face tilted up towards the sun. 



1 

P. Mayle, A Year in Provence. A. Knopf, Inc., 1989. 
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1.2.3 Cryptanalysis of the Vigenere Cipher 



In this section we describe some methods for cryptanalyzing the Vigenere Cipher. The first step is to 
determine the keyword length, which we denote by m. There are a couple of techniques that can be 
employed. The first of these is the so-called Kasiski test and the second uses the index of coincidence. 



The Kasiski test was first described by Friedrich Kasiski in 1863. It is based on the observation that two 
identical segments of plaintext will be encrypted to the same ciphertext whenever their occurrence in the 
plaintext is x positions apart, where x = 0 mod m. Conversely, if we observe two identical segments of 
ciphertext, each of length at least three, say, then there is a good chance that they do correspond to 
identical segments of plaintext. 

The Kasiski test works as follows. We search the ciphertext for pairs of identical segments of length at 
least three, and record the distance between the starting positions of the two segments. If we obtain 
several such distances d ,d , . . . , then we would conjecture that m divides the greatest common divisor 

of the d's. 
i 

Further evidence for the value of m can be obtained by the index of coincidence. This concept was 
defined by Wolfe Friedman in 1920, as follows. 

DEFINITION 1.7 Suppose x = x x . . . x is a string ofn alphabetic characters. The index of 
coincidence ofx, denoted I (x), is defined to be the probability that two random elements ofx are 
identical. Suppose we denote the frequencies of A, B, C, . . . , Z in x byf,f^ . . . ,f (respectively). We 

(") » (-;) 

can choose two elements ofx in v * ' ways. For each i, 0<i< 25, there are * * ' ways of choosing 
both elements to be i. Hence, we have the formula 



(S) 

The binomial coefficient * Kf = n!/(k!(n - k)!) denotes the number of ways of choosing a subset 
of k objects from a set of n objects. 
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X>(/i-i) 

/c<X) = ' = n(n-l) ■ 

Now, suppose x is a string of English language text. Denote the expected probabilities of occurrence of 
the letters A, B, . . . , Zin Table 1.1 by , p . 

Then, we would expect that 

hix) & ^Pi 2 = 0.065, 

since the probability that two random elements both are A is p Q 2 , the probability that both are B is p^, 

etc. The same reasoning applies if x is a ciphertext obtained by means of any monoalphabetic cipher. In 
this case, the individual probabilities will be permuted, but the quantity 

24 

will be unchanged. 

Now, suppose we start with a ciphertext y = y^y 2 . . . that has been constructed by using a Vigenere 

Cipher. Define m substrings y , y , . . . , y of y by writing out the ciphertext, by columns, in a 

rectangular array of dimensions in x (n/m). The rows of this matrix are the substrings y ., 1 < i < m. If this 

is done, and m is indeed the keyword length, then each / (y .) should be roughly equal to 0.065. On the 

other hand, if m is not the keyword length, then the substrings y will look much more random, since 

they will have been obtained by shift encryption with different keys. Observe that a completely random 
string will have 

h s?2G(l/26)" J = 1/26 = 0.038. 

The two values 0.065 and 0.038 are sufficiently far apart that we will often be able to determine the 
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correct keyword length (or confirm a guess that has already been made using the Kasiski test). 
Let us illustrate these two techniques with an example. 
Example 1.11 

Ciphertext obtained from a Vigenere Cipher 

CHREEVOAHMAERATBIAXXWTNXBEEOPHBSBQMQEQERBW 
RVXUOAKXAOSXXWEAHBWG JMMQMNKGRFVGXWTRZXWIAK 
LXFPSKAUTEMNDCMGTSXMXBTUIADNGMGPSRELXN JELX 
VRVPRTULHDNQWTWDTYGBPHXTFAL JHASVBFXNGLLCHR 
ZBWELEKMS JIKNBHWRJGNMG JSGLXFEYPHAGNRBIEQ JT 
AMRVLCRREMNDGLXRRIMGNSNRWCHRQHAEYEVTAQEBBI 
PEEWEVKAKOEWADREMXMTBHHCHRTKDNVRZCHRCLQOHP 
WQAI IWXNRMGWOI IFKEE 

First, let's try the Kasiski test. The ciphertext string CHR occurs in five places in the ciphertext, 
beginning at positions 1, 166, 236, 276 and 286. The distances from the first occurrence to the other 
three occurrences are (respectively) 165, 235, 275 and 285. The gcd of these four integers is 5, so that is 
very likely the keyword length. 

Let's see if computation of indices of coincidence gives the same conclusion. With m = 1, the index of 
coincidence is 0.045. With m = 2, the two indices are 0.046 and 0.041. With m = 3, we get 0.043, 0.050, 
0.047. With m = 4, we have indices 0.042, 0.039, 0.046, 0.040. Then trying m = 5, we obtain the values 
0.063, 0.068, 0.069, 0.061 and 0.072. This also provides strong evidence that the keyword length is five. 

Proceeding under this assumption, how do we determine the keyword? It is useful to consider the mutual 
index of coincidence of two strings. 
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DEFINITION 1.8 Suppose x = x x . . . x , and y = y y . . . y , are strings ofn and n alphabetic 

characters, respectively. The mutual index of coincidence ofx and y, denoted MI (x, y), is defined to be 

the probability that a random element ofx is identical to a random element ofy. If we denote the 
frequencies of A, B, C, . . . , Z in x and y byf.f.f andf, . . . ,f, . . . ,/_-, respectively, then MI (x, 

\J J. \J J. JLi J C 

y) is seen to be 



2S 



i=0 



nn' 



Now, given that we have determined the value of m, the substrings y. are obtained by shift encryption of 
the plaintext. Suppose K = (k . k, . . . , k ) is the keyword. Let us see if we can estimate MI (y , y ). 

1 2 m c i J 

Consider a random character in y. and a random character in y.. The probability that both characters are 

V—k D—k Pi^Jfc V\ — Jfc ■ 

A is r Kt ^ , the probability that both are B is r 1 ft J , etc. (Note that all subscripts 

are reduced modulo 26.) Hence, we estimate that 

25 25 

Observe that the value of this estimate depends only on the difference k. - k. mod 26, which we call the 

relative shift of y. and y . Also, notice that 

' j 

^1 PhPh+t = ^ PhPh-ty 
h ■-■-<) h-Q 
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so a relative shift of ^ yields the same estimate of MI^ as does a relative shift of 26 - ^. 

We tabulate these estimates, for relative shifts ranging between 0 to 13, in Table 1.4. 

Table 1.4Expected Mutual Indices of Coincidence 



rpljitivp shift 

ICldllVC .Mill I 


expected value of MI 

c 


o 


U.UOD 


1 


0.039 


Z 


0.032 


3 


0.034 


A 

4 


0.044 


5 


0.033 


/r 
0 


0.030 


7 

/ 




8 


0.034 


9 


0.034 


10 


0.038 


11 


0.045 


12 


0.039 


13 


0.043 



The important observation is that, if the relative shift is not zero, these estimates vary between 0.03 1 and 
0.045; whereas, a relative shift of zero yields an estimate of 0.065. We can use this observation to 

I = k - — k 

formulate a likely guess for ■ 1 J, the relative shift of y. and y., as follows. Suppose we fix y., 

o i 

and consider the effect of encrypting y. by e , e , e , . . .. Denote the resulting strings by ^1*^3*, etc. It 

J U 1 Z 

Ml fv v n ) 

is easy to compute the indices J c i , 0 < g < 25. This can be done using the formula 

25 



nrv 



file:///DIMy%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch01/033-036.html (2 of 5)12/6/2003 9: 17: 18 AM 



Cryptography: Theory and Practice:Classical Cryptography 

When g = £, the MI should be close to 0.065, since the relative shift of y. and is zero. However, for 

C I 

values of g ^ ^ , the MI^ should vary between 0.03 1 and 0.045. 

By using this technique, we can obtain the relative shifts of any two of the substrings y . This leaves only 
26 possible keywords, which can easily be obtained by exhaustive key search, for example. 

Let us illustrate by returning to Example 1.11. 

Example 1.11 (Cont.) 

We have hypothesized that the keyword length is 5. We now try to compute the relative shifts. By 

Af J f v ■ y ' \ 

computer, it is not difficult to compute the 260 values CVJ " J J ; , where 1 < i <j < 5, 0 < g 25. These 

MI fy y s ) 

values are tabulated in Table 1 .5. For each (i, j) pair, we look for values c v 1 ' J ; that are close to 
0.065. If there is a unique such value (for a given (i, j) pair), we conjecture that 

Table 

1.50bserved 
Mutual 
Indices of 
Coincidence 
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4 

1 1 


j 


value of Mf^y,, yj) 


1 


I 




.027 


.028 


.034 


.039 


.037 


.026 


.025 


.052 








.008 


.044 


026 


.037 


.0.1 3 


037 


.043 


.037 


02 8 








041 


.034 


,037 


051 


045 


042 


036 




1 


3 




i 4_r , _i l u 

050 


040 

,045 


.034 
.039 


02"8 

,040 


053 
,036 


048 
.037 


033 
.032 


029 
.027 






037 


,036 


031 


037 


055 


029 


024 


.037 




1 


4 


034 


.olf 


.025 


.027 


0^8 


.049 


^i040^ 


.032 


.029 






,034 


.039 


044 


.044 


.034 


.039 


.045 


.044 


,037 






055 


047 


.032 


.027 


039 


037 


039 


035 






i> 


,043 


.033" 


" 028 


.044 


.04* 


,0~44~ 


"0l9~ 


.031 


,026 






,030 


.036 


,040 


.041 


,024 


-019 


,048 [.070 ' 


.044 






02g 


03& 


.044 


043 


.047 


033 


.026 


.046 




• i 

I 


■> 
J 


.046 


.04 g 


.041 


032 


.036 


035 


,036 


030 


024 






039 


034 


029 


040 


poo?] 


.041 


033 


037 


.045 






033 


.033 


.027 


.033 


.045 


.052 


.042 


.030 




2 


4 


04G 


034 


043 


044 


034 


.031 


040 


045 


040 






.04$ 


.044 


.033 


.024 


.028 


.042 


.039 


.026 


.034 






.050 


.035 


.032 


.040 


,056 


.043 


02S 


,028 




2 


5 




033 


.036 


046 


026 


018 


043 


080 


.050 








.031 


,045 


039 


.037 


.027 


.026 


.031 


,039 








.037 


.041 


.046 


.045 


.043 


,035 


.030 




3 




038 


03e 


04 G 


033 


.036 


' 060 


035 


.041 


.029 






058 


035 


.035 


.034 


.053 


.030 


.032 


035 


.036 






.036 


,02S 


.046 


.032 


.051 


,032 


034 


.030 




3 


& 


.035 


.034 


034 


.036 


.030 


.043 


.043 


.050 


,025 






.041 


0&1 


.050 


.035 


.032 


.033 


.033 


,052 


,031 






.02? 


030 


.072 


.035 


034 


.032 


.043 


.027 




A 


c 
i> 


052 


03& 


033 


.033 


.041 


.043 


.037 


■W 


,028 






028 


.036 


mi 


.033 


033 


.032 


.052 


.034 


.027 






.039 


043 


.033 


027 


030 


039 


.048 


035 





it is the value of the relative shift. 

Six such values in Table 1.5 are boxed. They provide strong evidence that the relative shift of y and y 2 
is 9; the relative shift of y l and y 5 is 16; the relative shift of y 2 and y 3 is 13; the relative shift of y 2 and y 5 
is 7; the relative shift of y 3 and y 5 is 20; and the relative shift of y 4 and y 5 is 11. This gives us the 
following equations in the five unknowns k^, k^, k^, k 5 : 
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— k-j 


= 9 






= 16 


*2 




= 13 


*2 




= 7 


k 3 


— ft*. 


= 20 


hi 




= 11. 
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This allows us to express the five fc.'s in terms of k : 

k 2 = k t + 17 
k$ = ki + 4 
k 4 = h + 21 
fck = A;i + 10. 

So the key is likely to be (k , k + 17, k + 4, k + 21, A: + 10) for some ^ ' ^ ^"2:6 ■ Hence, we suspect 

that the keyword is some cyclic shift of AREVK. It now does not take long to determine that the keyword 
is JANET. The complete decryption is the following: 

The almond tree was in tentative blossom. The days were longer, often ending with 

magnificent evenings of corrugated pink skies. The hunting season was over, with hounds 

and guns put away for six months. The vineyards were busy again as the well-organized 

farmers treated their vines and the more lackadaisical neighbors hurried to do the pruning 

3 

they should have done in November. 



3 

P. Mayle, A Year in Provence, A. Knopf, Inc., 1989. 



1.2.4 A Known Plaintext Attack on the Hill Cipher 

The Hill Cipher is more difficult to break with a ciphertext-only attack, but it succumbs easily to a 
known plaintext attack. Let us first assume that the opponent has determined the value of m being used. 
Suppose he has at least m distinct pairs of m-tuples, x. = (jc , x, , . . . , x ) and y. = (v , v , . . . , y ) (1 

J hj %} m,j "y y 2,j ■ / m,j 

<j< m), such that y . = e(x), 1 <j < m. If we define two mx m matrices X = (x. .) and Y= (y. .), then we 

j K j i >j i >j 

have the matrix equation Y = XK, where the mxm matrix K is the unknown key. Provided that the 
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matrix X is invertible, Oscar can compute K = X Y and thereby break the system. (If Y is not invertible, 
then it will be necessary to try other sets of m plaintext-ciphertext pairs.) 

Let's look at a simple example. 

Example 1.12 

Suppose the plaintext friday is encrypted using a Hill Cipher with m = 2, to give the ciphertext 



We have that e (5, 17) = (15, 16), e (8, 3) = (2, 5) and e (0, 24) = (10, 20). From the first two 

K K K 

plaintext-ciphertext pairs, we get the matrix equation 



This can be verified by using the third plaintext-ciphertext pair. 

What would the opponent do if he does not know ml Assuming that m is not too big, he could simply try 
m = 2, 3, . . . , until the key is found. If a guessed value of m is incorrect, then an m x m matrix found by 
using the algorithm described above will not agree with further plaintext-ciphertext pairs. In this way, 
the value of m can be determined if it is not already known. 

1 .2.5 Cryptanalysis of the LFSR-based Stream Cipher 

Recall that the ciphertext is the sum modulo 2 of the plaintext and the key stream, i.e., y = x + z mod 2. 

i i i 

The keystream is produced from z . . . , z using the linear recurrence relation 

1 m 
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m-l 



where 



(and c Q = 1). 



Since all operations in this cryptosystem are linear, we might suspect that the cryptosystem is vulnerable 
to a known-plaintext attack, as is the case with the Hill Cipher. Suppose Oscar has a plaintext string 
x x . . . x and the corresponding ciphertext string y y . . . y . Then he can compute the keystream bits z. 

1 / / 1 _ / / \ 

= x + y mod 2, 1 < i < n. Let us also suppose that Oscar knows the value m. Then Oscar needs only to 
compute c , . . . , c in order to be able to reconstruct the entire keystream. In other words, he needs to 

A 0 m-l J 

be able to determine the values of m unknowns. 
Now, for any i > 1, we have 

m-l 

which is a linear equation in the m unknowns. If n > 2m, then there are m linear equations in m 
unknowns, which can subsequently be solved. 

The system of m linear equations can be written in matrix form as follows: 



/ *1 Z% 

■ i 
■ 

■ i 



2m \ 

■ 

- 

» 



If the coefficient matrix has an inverse (modulo 2), we obtain the solution 



*2 



Z2 
*3 



^m+1 

* 

^2m- 1 / 



-1 
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In fact, the matrix will have an inverse if m is the degree of the recurrence used to generate the 
keystream (see the exercises for a proof). Let's illustrate with an example. 



Example 1.13 



Suppose Oscar obtains the ciphertext string 



101101011110010 



corresponding to the plaintext string 



011001111111000. 



Then he can compute the keystream bits: 



110100100001010. 



Suppose also that Oscar knows that the keystream was generated using a 5-stage LFSR. Then he would 
solve the following matrix equation, which is obtained from the first 10 keystream bits: 



(0,1,0.0,0) = (co.cu^.c^ca) 



f 1 


1 


0 


1 


0 \ 


1 


0 


I 


0 


0 


0 


1 


0 


0 


1 


1 


0 


0 


1 


0 




0 


1 


0 





It can be checked that 



/ 1 


1 


0 


1 


o \ - 1 / 0 


1 


0 


0 


1 \ 


f 1 


0 


1 


0 


0 




1 


0 


0 


1 


0 


0 


1 


0 


0 


1 




0 


0 


0 


0 


1 


1 


0 


0 


1 


0 




0 


1 


0 


1 


1 


\° 


0 


1 


0 


o) 






0 


1 


1 





This yields 
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fa.6|><*.C!|,G|) = (0,1.0,0.0) 



/0 1 0 0 I\ 
100 1 0 
00001 
0 10 11 

^101 10/ 



= (1,0, 1, 1,0). 



Thus the recurrence used to generate the keystream is 



— *\ + mod 2. 
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1 .3 Notes 

Much of the material on classical cryptography is covered in textbooks, for example Beker and Piper 
[BP82] and Denning [DE82]. The probability estimates for the 26 alphabetic characters are taken from 
Beker and Piper. As well, the cryptanalysis of the Vigenere Cipher is a modification of the description 
given in Beker and Piper. 

A good reference for elementary number theory is Rosen [Ro93]. Background in elementary linear 
algebra can be found in Anton [AN91]. 

Kahn's book "The Codebreakers" [KA67] is an entertaining and informative history of cryptography up 
to 1967. In it, Kahn states that the Vigenere Cipher is incorrectly attributed to Vigenere. 

The Hill Cipher was first described in [HI29]. Much information on stream ciphers can be found in the 
book by Rueppel [RU86]. 

Exercises 

1.1 Below are given four examples of ciphertext, one obtained from a Substitution Cipher, one 
from a Vigenere Cipher, one from an Afflne Cipher, and one unspecified. In each case, the task 
is to determine the plaintext. 

Give a clearly written description of the steps you followed to decrypt each ciphertext. This should 
include all statistical analysis and computations you performed. 

The first two plaintexts were taken from "The Diary of Samuel Marchbanks," by Robertson 
Davies, Clarke Irwin, 1947; the fourth was taken from "Lake Wobegon Days," by Garrison 
Keillor, Viking Penguin, Inc., 1985. 

(a) Substitution Cipher: 

EMGLOSUDCGDNCUSWYSFHNSFCYKDPUMLWGYICOXYSIP JCK 
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QPKUGKMGOLICGINCGACKSNISACYKZSCKXECJCKSHYSXCG 
OIDPKZCNKSHICGIWYGKKGKGOLDSILKGOIUSIGLEDSPWZU 
GFZCCNDGYYSFUSZCNXEO JNCGYEOWEUPXEZGACGNFGLKNS 
ACIGOIYCKXCJUCIUZCFZCCNDGYYSFEUEKUZCSOCFZCCNC 
IACZEJNCSHFZEJZEGMXCYHCJUMGKUCY 

HINT F decrypts to w. 

(b) Vigenere Cipher: 

KCCPKBGUFDPHQTYAVINRRTMVGRKDNBVFDETDGILTXRGUD 
DKOTFMBPVGEGLTGCKQRACQCWDNAWCRXI ZAKFTLEWRPTYC 
QKYVXCHKFTPONCQQRH JVAJUWETMCMSPKQDYH JVDAHCTRL 
SVSKCGCZQQDZXGSFRLSWCWS JTBHAFS IASPRJAHK JRJUMV 
GKMITZHFPDISPZLVLGWTFPLKKEBDPGCEBSHCT JRWXBAFS 
PEZQNRWXCVYCGAONWDDKACKAWBBIKFTIOVKCGGH JVLNHI 
FFSQESVYCLACNVRWBBIREPBBVFEXOSCDYGZWPFDTKFQIY 
CWHJVLNHIQIBTKHJVNPIST 

(c) Affine Cipher: 

KQERE JEBCPPC JCRKIEACUZBKRVPKRBCIBQCARB JCVFCUP 
KRIOFKPACUZQEPBKRXPEI IEABDKPBCPFCDCCAFIEABDKP 
BCPFEQPKAZBKRHAIBKAPCCIBURCCDKDCC JCIDFUIXPAFF 
ERBICZDFKABICBBENEFCUP JCVKABPCYDCCDPKBCOCPERK 
IVKSCPICBRKI JPKABI 

(d) unspecified cipher: 

BNVSNS IHQCEELSSKKYERIF JKXUMBGYKAMQL JTYAVFBKVT 
DVBPVVRJYYLAOKYMPQSCGDLFSRLLPROYGESEBUUALRWXM 
MASAZLGLEDF JBZAVVPXWICG JXASCBYEHOSNMULKCEAHTQ 
OKMFLEBKFXLRRFDTZXCIWB JS ICBGAWDVYDHAVF JXZ IBKC 
G JIWEAHTTOEWTUHKRQWRGZBXYIREMMASCSPBNLH JMBLR 
FF JELHWEYLWISTFVVYF JCMHYUYRUFSFMGES IGRLWALSWM 
NUHSIMYYITCCQPZSICEHBCCMZFEGVJYOCDEMMPGHVAAUM 
ELCMOEHVLTIPSUYILVGFLMVWDVYDBTHFRAYISYSGKVSUU 
HYHGGCKTMBLRX 



1.2 
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(a) How many 2x2 matrices are there that are invertible over ? 



(b) Let p be prime. Show that the number of 2 x 2 matrices that are invertible over is 

(p 2 - D(p 2 - p). 

HINT Since p is prime, ? is a field. Use the fact that a matrix over a field is invertible if 
and only if its rows are linearly independent vectors (i.e., there does not exist a non-zero 
linear combination of the rows whose sum is the vector of all O's). 

(c) For p prime, and m > 2 an integer, find a formula for the number of m x m matrices that 
are invertible over . 

1.3 Sometimes it is useful to choose a key such that the encryption operation is identical to the 
decryption operation. In the case of the Hill Cipher, we would be looking for matrices K such that 

K= K l (such a matrix is called involutory). In fact, Hill recommended the use of involutory 

matrices as keys in his cipher. Determine the number of involutory matrices (over "26) in the 
case m = 2. 

HINT Use the formula given in Theorem 1.3 and observe that det A = ±1 for an involutory matrix 
over . 

1.4 Suppose we are told that the plaintext 

breathtaking 

yields the ciphertext 

RUPOTENTOSUP 

where the Hill Cipher is used (but m is not specified). Determine the encryption matrix. 

1.5 An Affine-Hill Cipher is the following modification of a Hill Cipher: Let m be a positive 
integer, and define . In this cryptosystem, a key K consists of a pair (L, b), 
where L is an m x m invertible matrix over ^ e , and ^ (^afi) . For x = (x, , . . . , x ) £ ^ 

1 m 

and K = (L, b) ^ ^* , we compute y = e (x) = (y , . . . , y ) by means of the formula y =xL + b. 

K 1 fit 

Hence, if L ~ (^i) and b = (b„ . . . , b ), then 



m 
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+ (6] 



i * * ■ * 



Suppose Oscar has learned that the plaintext 



adisplayedequation 



is encrypted to give the ciphertext 



DSRMSSIOPLXLJBZULLM 



and Oscar also knows that m = 3. Compute the key, showing all computations. 

1.6 Here is how we might cryptanalyze the Hill Cipher using a ciphertext-only attack. Suppose 
that we know that m = 2. Break the ciphertext into blocks of length two letters (digrams). Each 
such digram is the encryption of a plaintext digram using the unknown encryption matrix. Pick out 
the most frequent ciphertext digram and assume it is the encryption of a common digram in the list 
following Table 1.1 (for example, TH or 5T). For each such guess, proceed as in the known- 
plaintext attack, until the correct encryption matrix is found. 

Here is a sample of ciphertext for you to decrypt using this method: 



1.7 We describe a special case of a Permutation Cipher. Let m, n be positive integers. Write out 
the plaintext, by rows, inmxn rectangles. Then form the ciphertext by taking the columns of 
these rectangles. For example, if m = 4, n = 3, then we would encrypt the plaintext "cryptography" 
by forming the following rectangle: 



LMQETXYEAGTXCTUIEWNCTXLZEWUAISPZYVAPEWLMGQWYA 
XFTC JMSQCADAGTXLMDXNXSNP JQSYVAPRIQSMHNOCVAXFV 



cryp 
togr 
aphy 



The ciphertext would be "CTAROPYGHPRY. 



(a) Describe how Bob would decrypt a ciphertext (given values for m and n). 
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(b) Decrypt the following ciphertext, which was obtained by using this method of 
encryption: 

MYAMRARUYIQTENCTORAHROYWDSOYEOUARRGDERNOGW 



1.8 There are eight different linear recurrences over ^ 2 of degree four having c Q = 1 . Determine 

which of these recurrences give rise to a keystream of period 15 (given a non-zero initialization 
vector). 

1.9 The purpose of this exercise is to prove the statement made in Section 1.2.5 that the mxm 
coefficient matrix is invertible. This is equivalent to saying that the rows of this matrix are linearly 

independent vectors over ^ 2 . 

As before, we suppose that the recurrence has the form 

«i — 1 

= ^2 c^i+j mod 2. 

. . . , z ) comprises the initialization vector. For i > 1, define 
Note that the coefficient matrix has the vectors v , . . . , v as its rows, so our objective is to prove 

1 m 

that these m vectors are linearly independent. 
Prove the following assertions: 



(a) For any i > 1, 

m-l 



j-0 

(b) Choose h to be the minimum integer such that there exists a non-trivial linear 
combination of the vectors v , . . . , v, which sums to the vector (0, . . . , 0) modulo 2. Then 

1 h 
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h-2 

Vfl ~ S ajWj+1 mt>d ^ 



and not all the oc/s are zero. Observe that h < m + 1, since any m + 1 vectors in an in- 
dimensional vector space are dependent. 

(c) Prove that the keystream must satisfy the recurrence 



for any i > 1 . 

(d) Observe that if h < m, then the keystream satisfies a linear recurrence of degree less 
than m, a contradiction. Hence, h = m + 1, and the matrix must be invertible. 

1.10 Decrypt the following ciphertext, obtained from the Autokey Cipher, by using exhaustive 
key search: 



1.11 We describe a stream cipher that is a modification of the Vigenere Cipher. Given a keyword 
(K....,K ) of length m, construct a keystream by the rule z =K (\ <i< m), z + m = z +1 mod 

l m ii ii 

26 (i > m + 1). In other words, each time we use the keyword, we replace each letter by its 
successor modulo 26. For example, if SUMMER is the keyword, we use SUMMER to encrypt the 
first six letters, we use TVNNFS for the next six letters, and so on. 

Describe how you can use the concept of index of coincidence to first determine the length of the 
keyword, and then actually find the keyword. 

Test your method by cryptanalyzing the following ciphertext: 



I YMYS ILONRFNCQXQ JEDSHBUIBC JUZBOLFQYSCHATPEQGQ 
JE JNGNX Z WHHGWF SUKUL JQAC ZKK JOAAHGKEMTAFGMKVRDO 
PXNEHEKZNKFSKIFRQVHHOVXINPHMRT JPYWQG JWPUUVKFP 
OAWPMRKKQZWLQDYAZDRMLPB JK JOBWIWPSEPVVQMBCRYVC 
RUZAAOUMBCHDAGD I EMS ZF ZHAL I GKEMJJFPC IWKRMLMP IN 
AYOFIREAOLDTHITDVRMSE 




GtjXj+i mod 2 



MALVVMAFBHBUQPTSOXALTGVWWRG 
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The plaintext was taken from "The Codebreakers," by D. Kahn, Macmillan, 1967. 
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Chapter 2 
Shannon's Theory 

In 1949, Claude Shannon published a paper entitled "Communication Theory of Secrecy Systems" in the 
Bell Systems Technical Journal. This paper had a great influence on the scientific study of cryptography. 
In this chapter, we discuss several of Shannon's ideas. 

2.1 Perfect Secrecy 

There are two basic approaches to discussing the security of a cryptosystem. 

computational security 

This measure concerns the computational effort required to break a cryptosystem. We 

might define a cryptosystem to be computationally secure if the best algorithm for 

breaking it requires at least N operations, where N is some specified, very large number. 

The problem is that no known practical cryptosystem can be proved to be secure under 

this definition. In practice, people will call a cryptosystem "computationally secure" if the 

best known method of breaking the system requires an unreasonably large amount of 

computer time (but this is of course very different from a proof of security). Another 

approach is to provide evidence of computational security by reducing the security of the 

cryptosystem to some well-studied problem that is thought to be difficult. For example, it 

may be able to prove a statement of the type "a given cryptosystem is secure if a given 

integer n cannot be factored." Cryptosystems of this type are sometimes termed "provably 

secure," but it must be understood that this approach only provides a proof of security 

l 

relative to some other problem, not an absolute proof of security. 



l 

This is a similar situation to proving that a problem is NP-complete: it proves that the 
given problem is at least as difficult as any other NP-complete problem, but it does not 
provide an absolute proof of the computational difficulty of the problem. 
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unconditional security 

This measure concerns the security of cryptosystems when there is no bound placed on the 
amount of computation that Oscar is allowed to do. A cryptosystem is defined to be 
unconditionally secure if it cannot be broken, even with infinite computational resources. 

When we discuss the security of a cryptosystem, we should also specify the type of attack that is being 
considered. In Chapter 1 , we saw that neither the Shift Cipher, the Substitution Cipher nor the 
Vigenere Cipher is computationally secure against a ciphertext-only attack (given a sufficient amount 
of ciphertext). 

What we will do in this section is to develop the theory of cryptosystems that are unconditionally secure 
against a ciphertext-only attack. It turns out that all three of the above ciphers are unconditionally secure 
if only one element of plaintext is encrypted with a given key! 

The unconditional security of a cryptosystem obviously cannot be studied from the point of view of 
computational complexity, since we allow computation time to be infinite. The appropriate framework 
in which to study unconditional security is probability theory. We need only elementary facts concerning 
probability; the main definitions are reviewed now. 

DEFINITION 2.1 Suppose X and Y are random variables. We denote the probability that X takes on 
the value x by p(x), and the probability that Y takes on the value y by p(y). The joint probability p(x, y) is 
the probability that X takes on the value x and Y takes on the value y. The conditional probability p(x\y) 
denotes the probability that X takes on the value x given that Y takes on the value y. The random 
variables X and Y are said to be independent ifp(x, y) = p(x)p(y)for all possible values x ofX andy of 
Y. 

Joint probability can be related to conditional probability by the formula 

p{x,y) = p{x\y)p(y). 

Interchanging x and y, we have that 

From these two expressions, we immediately obtain the following result, which is known as Bayes' 
Theorem. 

THEOREM 2.1 (Bayes' Theorem) 
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Ifp(y) > 0, then 

p(y) 

COROLLARY 2.2 

X and Y are independent variables if and only ifp(x\y) = p(x)for allx, y. 

Throughout this section, we assume that a particular key is used for only one encrypion. Let us suppose 

that there is a probability distribution on the plaintext space, 7^. We denote the a priori probability that 

plaintext x occurs by PPW . We also assume that the key K is chosen (by Alice and Bob) using some 
fixed probability distribution (often a key is chosen at random, so all keys will be equiprobable, but this 

need not be the case). Denote the probability that key K is chosen by . Recall that the key is 

chosen before Alice knows what the plaintext will be. Hence, we make the reasonable assumption that 
the key K and the plaintext x are independent events. 

The two probability distributions on IP and induce a probability distribution on C . Indeed, it is not 

hard to compute the probability that y is the ciphertext that is transmitted. For a key 

define 

C{K) = 6 7>}- 

That is, C(K) represents the set of possible ciphertexts if K is the key. Then, for every V ^ ^ , we have 
that 

{K:yEC{K)} 

We also observe that, for any 1/ ^ C anc j X G "P, we can compute the conditional probability, 
(i.e., the probability that y is the ciphertext, given that x is the plaintext) to be 

Pc(y\x) = pk{k) 

It is now possible to compute the conditional probability (i.e., the probability that x is the 

plaintext, given that y is the ciphertext) using Bayes' Theorem. The following formula is obtained: 



file:///DIMy%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch02/044-047.html (3 of 5)12/6/2003 9:17:24 AM 



Cryptography: Theory and Practice:Shannon's Theory 



pp{x\y) = 



Observe that all these calculations can be performed by anyone who knows the probability distributions. 
We present a toy example to illustrate the computation of these probability distributions. 
Example 2. 1 

Let P = K 6 lwithM a ) l/4 3 J>p(fr) = 3/4 Let £ ~ {K\, K 2 , Af 3 } with 
Pk(Ki) = l^pKiK^) = |?jc(^a) = 1/4. L et C ~ {1, 2,3,4} , a nd suppose the 
encryption functions are defined to be ^-t^KiiP) 2 t . 

e J^( a ) = 2,fij< s (fr) = 3; ;and e^a(d) = 3,eK 3 (d) = 4 TMs crypt osy stem can be 
represented by the following encryption matrix: 





a h 




1 2 




2 3 




3 4 



We now compute the probability distribution PC . We obtain 

PeO) = 
M2) - 

Pc W = 



1 










7 


8 16 


" 16 


2 + l 


1 


16 ^ 16 


4 


3 




16 1 





Now we can compute the conditional probability distributions on the plaintext, given that a certain 
ciphertext has been observed. We have: 
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pp( fl |l) = 1 Mb\i) = o 

1 6 

pp(a|2) = y pp(b\2) = - 

PPH3) = I pp{6|3) - j 

pp(a|4} " 0 pp{i|4) = 1. 

We are now ready to define the concept of perfect secrecy. Informally, perfect secrecy means that Oscar 
can obtain no information about plaintext by observing the ciphertext. This idea is made precise by 
formulating it in terms of the probability distributions we have defined, as follows. 
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DEFINITION 2.2 A cryptosystem has perfect secrecy if?P{*\v) = Pp( x )forall E € # € C 

That is, the a posteriori probability that the plaintext is x, given that the ciphertext y is observed, is 
identical to the a priori probability that the plaintext is x. 



In Example 2.1, the perfect secrecy property is satisfied for the ciphertext 3, but not for the other three 
ciphertexts. 



We next prove that the Shift Cipher provides perfect secrecy. This seems quite obvious intuitively. For, 

if we are given any ciphertext element ^ ^ ^26 5 then any plaintext element ^ ^ is a possible 
decryption of y, depending on the value of the key. The following theorem gives the formal statement 
and proof using probability distributions. 



THEOREM 2.3 



Suppose the 26 keys in the Shift Cipher are used with equal probability 1/26. Then for any plaintext 
probability distribution, the Shift Cipher has perfect secrecy. 

PROOF Recall that V = C = fC = S^e anc j f or o<K< 25, the encryption rule e is e (x)=x + K 

K K 

mod 26 . First, we compute the distribution 

PC Let Z € E2fl 

; then 

Pciv) = Y PK( K )Pv( d K{y)) 

= Y ^pAv~ k ) 
= Y Mv~ K )- 



file:///DIMy%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch02/048-051.html (1 of 5)12/6/2003 9:17:26 AM 



Cryptography: Theory and Practice:Shannon's Theory 



Now, for fixed y, the values y - K mod 26 comprise a permutation of "26, and is a probability 
distribution. Hence we have that 



Pv(v-K) = Pp(v) 



Consequently, 



pc(y) = ^ 

for any V E ^26. 

Next, we have that 

_ j_ 

^ 26 

for every y, since for every x, y the unique key K such that e Ax) = yisK = y- x mod 26. Now, using 
Bayes' Theorem, it is trivial to compute 



PCKV) 



_L 

= Pp(x), 

so we have perfect secrecy. 

So, the Shift Cipher is "unbreakable" provided that a new random key is used to encrypt every plaintext 
character. 

Let us next investigate perfect secrecy in general. First, we observe that, using Bayes' Theorem, the 
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condition that Pp{ x Iv) = Pp( x ) tor all X € P, Jf € ^ is equivalent to MvM = Pc(v) for 
all ^ ^ !/ ^ ^. Now, let us make the reasonable assumption that Pc Cf) ^ ^ for all 

, then ciphertext y is never used and can be omitted from C). Fix any 3f £ P. For 
each ^, we have I 1 ) — Pcfot) 0. Hence, for each If ^ ^, there must be at least one key 
such that e (x) = y. It follows that 

j/C| > \c\ 

. In any cryptosystem, we must have since each 

K 

encoding rule is an injection. In the boundary case M = icj = \v\ 

, we can give a nice characterization 
of when perfect secrecy can be obtained. This characterization is originally due to Shannon. 

THEOREM 2.4 

Suppose is a cryptosystem where 

Vc\ = \c\ = \v\ 

. Then the cryptosystem provides 

perfect secrecy if and only if every key is used with equal probability 

1/|K| 

, every * c and every 

y ^ there is a unique key K such that e (x) = y. 

PROOF Suppose the given cryptosystem provides perfect secrecy. As observed above, for each 

£ £ P and y ^ ^ there must be at least one key K such that e (x) = y. So we have the inequalities: 

\C\ = \{e K (x) ■■ K e JC)| 
< \K\. 

But we are assuming that 

|C| = |JCj 

. Hence, it must be the case that 

\{e K (x) : K € K}| = 

That is, there do not exist two distinct keys K and K such that * ' ^ 2 ■ ("^ ) £/\ Hence, we have 
shown that for any % £ "P and f ^ ^ , there is exactly one key K such that e (x) = y. 

K 



Figure 2.1 One-time Pad 

Denote n ~ M. Let ^ = l z " : 1 - * ^ ") and fix a # e ^ We can name the keys ^ , K ^ , in 

J 1 2 n 
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such a way that 0^0 V* ^ — * — ^. Using Bayes' theorem, we have 

pc(y) 

Consider the perfect secrecy condition PPfaAv) — Pp{ x i). From this, it follows that 

pic(Ki) = pc(y) 

, for 1 < i < n. This says that the keys are used with equal probability (namely, 
But since the number of keys is 

\K\ 

, we must have that for every 

Conversely, suppose the two hypothesized conditions are satisfied. Then the cryptosystem is easily seen 
to provide perfect secrecy for any plaintext probability distribution, in a similar manner as the proof of 
Theorem 2.3. We leave the details for the reader. 

One well-known realization of perfect secrecy is the Vernam One-time Pad, which was first described 
by Gilbert Vernam in 1917 for use in automatic encryption and decryption of telegraph messages. It is 
interesting that the One-time Pad was thought for many years to be an "unbreakable" cryptosystem, but 
there was no proof of this until Shannon developed the concept of perfect secrecy over 30 years later. 



The description of the One-time Pad is given in Figure 2. 1 . 



Using Theorem 2.4, it is easily seen that the One-time Pad provides perfect secrecy. The system is also 
attractive because of the ease of encryption and decryption. 



Vernam patented his idea in the hope that it would have widespread commercial use. Unfortunately, 
there are major disadvantages to unconditionally secure cryptosy stems such as the One-time Pad. The 

fact that means that the amount of key that must be communicated securely is at least as big 

as the amount of plaintext. For example, in the case of the One-time Pad, we require n bits of key to 
encrypt n bits of plaintext. This would not be a major problem if the same key could be used to encrypt 
different messages; however, the security of unconditionally secure cryptosystems depends on the fact 
that each key is used for only one encryption. (This is the reason for the term "one-time" in the One-time 
Pad.) 



For example, the One-time Pad is vulnerable to a known-plaintext attack, since K can be computed as 
the exclusive-or of the bitstrings x and e Ax). Hence, a new key needs to be generated and communicated 

over a secure channel for every message that is going to be sent. This creates severe key management 
problems, which has limited the use of the One-time Pad in commercial applications. However, the 
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One-time Pad has seen application in military and diplomatic contexts, where unconditional security 
may be of great importance. 

The historical development of cryptography has been to try to design cryptosystems where one key can 
be used to encrypt a relatively long string of plaintext (i.e., one key can be used to encrypt many 
messages) and still maintain (at least) computational security. One such system is the Data Encryption 
Standard, which we will study in Chapter 3. 
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2.2 Entropy 

In the previous section, we discussed the concept of perfect secrecy. We restricted our attention to the 
special situation where a key is used for only one encryption. We now want to look at what happens as 
more and more plaintexts are encrypted using the same key, and how likely a cryptanalyst will be able to 
carry out a successful ciphertext-only attack, given sufficient time. 

The basic tool in studying this question is the idea of entropy, a concept from information theory 
introduced by Shannon in 1948. Entropy can be thought of as a mathematical measure of information or 
uncertainty, and is computed as a function of a probability distribution. 

Suppose we have a random variable X which takes on a finite set of values according to a probability 
distribution p(X). What is the information gained by an event which takes place according to distribution 
/?(X)? Equivalently, if the event has not (yet) taken place, what is the uncertainty about the outcome? 
This quantity is called the entropy of X and is denoted by H(X). 

These ideas may seem rather abstract, so let's look at a more concrete example. Suppose our random 
variable X represents the toss of a coin. The probability distribution is piheads) = p(tails) = 111. It would 
seem reasonable to say that the information, or entropy, of a coin toss is one bit, since we could encode 
heads by 1 and tails by 0, for example. In a similar fashion, the entropy of n independent coin tosses is 
n, since the n coin tosses can be encoded by a bit string of length n. 

As a slightly more complicated example, suppose we have a random variable X that takes on three 
possible values x^ x 2 , x^ with probabilities 1/2, 1/4, 1/4 respectively. The most efficient "encoding" of 

the three possible outcomes is to encode x J? as 0, to encode x 2 as 10 and to encode x^ as 11. Then the 

average number of bits in an encoding of X is 

_x 1+J x 2+ _ x2= _ 

-n 

The above examples suggest that an event which occurs with probability 2 can be encoded as a bit 
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string of length n. More generally, we could imagine that an event occurring with probability p might be 
encoded by a bit string of length approximately - \og 2 p. Given an arbitrary probability distribution p , 

p , p for a random variable X, we take the weighted average of the quatities - log p to be our 

2 n 2 i 

measure of information. This motivates the following formal definition. 

DEFINITION 2.3 Suppose X is a random variable which takes on a finite set of values according to a 
probability distribution p(X). Then, the entropy of this probability distribution is defined to be the 
quantity 

n 
i-l 

If the possible values ofX are x , 1 < i < n, then we have 

i 

n 

H(X) = - £p(X = x>) log, p(X = Xi ). 
i=i 

REMARK Observe that log 2 p. is undefined if p. = 0. Hence, entropy is sometimes defined to be the 
relevant sum over all the non-zero probabilities. Since lim x log x = 0, there is no real difficulty with 

x 2 

allowing p. = 0 for some i. However, we will implicitly assume that, when computing the entropy of a 

probability distribution p., the sum is taken over the indices i such that p. ^ 0. Also, we note that the 

choice of two as the base of the logarithms is arbitrary: another base would only change the value of the 
entropy by a constant factor. 

Note that if p. = l/n for 1 < i < n, then H(X) = log 2 n. Also, it is easy to see that H(X) > 0, and H(X) = 0 
if and only if p. = 1 for some i and p. = 0 for all j ^ i. 

Let us look at the entropy of the various components of a cryptosystem. We can think of the key as 

being a random variable K that takes on values according to the probability distribution VK ? and hence 
we can compute the entropy H(K). Similarly, we can compute entropies H(P) and H(C) associated with 
plaintext and ciphertext probability distributions, respectively. 

To illustrate, we compute the entropies of the cryptosystem of Example 2. 1 . 

Example 2.1 ( Cont.) 
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We compute as follows: 

ff(P) = -jloga \- jlogjj 

= 2-?<k>g 2 3) 
a 0.81. 

Similar calculations yield H(K) = 1 .5 and #(C) Bs 1 .85 
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2.2.1 Huffman Encodings and Entropy 

In this section, we discuss briefly the connection between entropy and Huffman encodings. As the 
results in this section are not relevant to the cryptographic applications of entropy, it may be skipped 
without loss of continuity. However, this discussion may serve to further motivate the concept of 
entropy. 

We introduced entropy in the context of encodings of random events which occur according to a 
specified probability distribution. We first make these ideas more precise. As before, X is a random 
variable which takes on a finite set of values, and p(X) is the associated probability distribution. 

An encoding of X is any mapping 

where {0, 1}* denotes the set of all finite strings of 0's and l's. Given a finite list (or string) of events 
x ... x , we can extend the encoding f in an obvious way by defining 

in 

/(x, ...!„) = f(xi) || ... || f(x n ) 

where II denotes concatenation. In this way, we can think off as a mapping 

/:X'->{0,1}'. 

Now, suppose a string ... x is produced by a memory less source such that each x. occurs according to 
the probability distribution on X. This means that the probability of any string x^ ... x^ is computed to be 
p(x) x ... x p(x ). (Notice that this string need not consist of distinct values, since the source is 
memoryless. As a simple example, consider a sequence of n tosses of a fair coin.) 

Now, given that we are going to encode strings using the mapping/, it is important that we are able to 
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decode in an unambiguous fashion. Thus it should be the case that the encoding/is injective. 
Example 2.2 

Suppose X = {a, b, c, d], and consider the following three encodings: 

f(b) = 10 /(c) = 100 /(<f) - 1000 
g(b) = 10 g(c) = 110 g(d) = 111 

h(b) = oi h(c) = 10 Hd) = ii 

It can be seen that/and g are injective encodings, but h is not. Any encoding using/can be decoded by 
starting at the end and working backwards: every time a 1 is encountered, it signals the end of the 
current element. 

An encoding using g can be decoded by starting at the beginning and proceeding sequentially. At any 
point where we have a substring that is an encoding of a, b, c, or d, we decode it and chop off the 
substring. For example, given the string 10101 1 10, we decode 10 to b, then 10 to b, then 1 1 1 to d, and 
finally 0 to a. So the decoded string is bbda. 

To see that h is not injective, it suffices to give an example: 

h(ac) = A(6a} = 010. 

From the point of view of ease of decoding, we would prefer the encoding g to/. This is because 
decoding can be done sequentially from beginning to end if g is used, so no memory is required. The 
property that allows the simple sequential decoding of g is called the prefix-free property. (An encoding 
g is prefix-free if there do not exist two elements x, y e X, and a string z e {0, 1 }* such that g(x) = g(y) 
Ik.) 

The discussion this point has not involved entropy. Not surprisingly, entropy is related to the efficiency 
of an encoding. We will measure the efficiency of an encoding /as we did before: it is the weighted 

average length (denoted by «/)) of an encoding of an element of X. So we have the following 
definition: 

where \y\ denotes the length of a string y. 
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Now, our fundamental problem is to find an injective encoding,/, that minimizes . There is a well- 
known algorithm, known as Huffman's algorithm, that accomplishes this goal. Moreover, the encoding/ 
produced by Huffman's algorithm is prefix-free, and 

H(X)<t(f)<H(X) + l. 

Thus, the value of the entropy provides a close estimate to the average length of the optimal injective 
encoding. 

We will not prove the results stated above, but we will give a short, informal description of Huffman's 
algorithm. Huffman's algorithm begins with the probability distribution on the set X, and the code of 
each element is initially empty. In each iteration, the two elements having lowest probability are 
combined into one element having as its probability the sum of the two smaller probabilities. The 
smaller of the two elements is assigned the value "0" and the larger of the two elements is assigned the 
value "1." When only one element remains, the coding for each leX can be constructed by following 
the sequence of elements "backwards" from the final element to the initial element x. 

This is easily illustrated with an example. 

Example 2.3 

Suppose X = {a, b, c, d, e] has the following probability distribution: p(a) = .05, p(b) = .10, p(c) = A2,p 
(d) = .13 and p(e) = .60. Huffman's algorithm would proceed as indicated in the following table: 



a 


b 


c 


d 


e 


.05 


10 


12 


.13 


.60 


0 


1 








.15 


12 


.13 


.60 




0 


1 




.15 


,25 


60 


0 


1 




,40 


.60 


| IT 1 


1 


1-0 



This leads to the following encodings: 

x f(x) 
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n 
U 


ODD 


h 
V 


VJVJ 1 


c 


01 0 


d 


Oil 


e 


1 



Thus, the average length encoding is 

£(f) = m x a + .10 x 3 + .12 x 3 + ,13 x 3 + ,60 x 1 
= 1,8, 

Compare this to the entropy: 

H(X) = .2161 + .3322 + .3671 + .3842 + ,4422 
= 1.7402. 
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2.3 Properties of Entropy 

In this section, we prove some fundamental results concerning entropy. First, we state a fundamental 
result, known as Jensen's Inequality, that will be very useful to us. Jensen's Inequality involves concave 
functions, which we now define. 

DEFINITION 2.4 A real-valued function f is concave on an interval I if 

M + IM 



for all x, y e Lfis strictly concave on an interval I if 

/<*) + m 



> 



for all x, y e I, x^y. 

Here is Jensen's Inequality, which we state without proof. 
THEOREM 2.5 ( Jensen 's Inequality ) 

Suppose f is a continuous strictly concave function on the interval I, 



= 1* 



1=1 



and a > 0, 1 < i < n. Then 

i 
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n / ri 



where x.e I, 1 < i < n. Further, equality occurs if and only ifx^ = ... = x . 

We now proceed to derive several results on entropy. In the next theorem, we make use of the fact that 
the function log 2 x is strictly concave on the interval (0, °°). (In fact, this follows easily from elementary 

calculus since the second deriviative of the logarithm function is negative on the interval (0, oo).) 
THEOREM 2.6 

Suppose X is a random variable having probability distribution p,,p y p , where p. > 0, 1 < i < n. Then H 

1 2 n i 

(X) < log 2 n, with equality if and only if p. = l/n, 1 < i < n. 
PROOF Applying Jensen's Inequality, we have the following: 



H(X) = -^pi log* Pi 
= ^ Pi lo&t — 



(=1 



< log 2 

i=] 

= Log 2 n. 

Further, equality occurs if and only if p = l/n, \<i<n. 
THEOREM 2.7 

H (X, Y) < H(X) + H(Y), with equality if and only ifX and Y are independent events. 

PROOF Suppose X takes on values x., 1 < i < m, and Y takes on values v., 1 <j < n. Denote p. = p(X = 

I J I 

x), 1 < i < m, and q. = p(Y = y), 1 <j < n. Denote r. = p(X = x., Y = y), 1 < i < m, 1 <j <n (this is the 

^ j j y i j 

joint probability distribution). 
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Observe that 



n 



Pi = H r V 



( 1 < i < m) and 



9S = J^ r iJ 



i-l 



(1 <j < n). We compute as follows: 



rrt 11 



i-i j-i 



ml n. n m 



1 = 1 j=l j=l i = I 



m ft 



On the other hand, 



Combining, we obtain the following: 
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«t n. | pn -n 

H(X, Y) - H(X) - H{ Y) = £ £>jj log 2 — + Y, E r *> P-^ 

j=i j=i iJ i-i j=i 



m it 



i=i j=i y 



i = J j" = L 

= Log 2 1 
= 0. 

(Here, we apply Jensen's Inequality, using the fact that the r.'s form a probability distribution.) 

y 

We can also say when equality occurs: it must be the case that there is a constant c such that pair = c 

i j y 

for all z, j. Using the fact that 

n m n m 

it follows that c = 1. Hence, equality occurs if and only if r = p.q., i.e., if and only if 

v(X = z;,Y = y } ) =p(X = Xi)p(Y = 

1 < / < m, 1 <j < n. But this says that X and Y are independent. 
We next define the idea of conditional entropy. 

DEFINITION 2.5 Suppose X and Y are two random variables. Then for any fixed value y ofY, we get 
a (conditional) probability distribution p(X\y). Clearly, 



H(X\y) = -^p(x\y)log,p(x\ y ). 



We define the conditional entropy //(XI Y) to be the weighted average (with respect to the probabilities p 
(y)) of the entropies H(X\y) over all possible values y. It is computed to be 
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St x 

The conditional entropy measures the average amount of information about X that is revealed by Y. 

The next two results are straightforward; we leave the proofs as exercises. 

THEOREM 2.8 

H(X, Y) = HQD + H(X\Y). 

COROLLARY 2.9 

H(K\Y) < H(X), with equality if and only ifX and Y are independent. 
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2.4 Spurious Keys and Unicity Distance 

In this section, we apply the entropy results we have proved to cryptosy stems. First, we show a 
fundamental relationship exists among the entropies of the components of a cryptosystem. The 
conditional entropy H(K\C) is called the key equivocation, and is a measure of how much information 
about the key is revealed by the ciphertext. 

THEOREM 2.10 

Let fPi Ci JC, £ i "V 1 ) be a cryptosystem. Then 

H(K\C) = H(K) + H{P) - H(C). 

PROOF First, observe that H(K, P, C) = H(C\K, P) + H(K, P). Now, the key and plaintext determine 
the ciphertext uniquely, since y = e(x). This implies that H(C\K, P) = 0. Hence, H(K, P, C) = H(K, P). 

But K and P are independent, so H(K, P) = H(K) + H(P). Hence, 

fffK.P.C) = JJ(K,P) = tf(K) + ff(P). 

In a similar fashion, since the key and ciphertext determine the plaintext uniquely (i.e., x = d (y)), we 

K 

have that H(P\K, C) = 0 and hence H(K, P, C) = H(K, C). 
Now, we compute as follows: 

H(K\C) = J?(K,C)- H(C) 

- f/(K, P ? C) -H(C) 
ss H(K) + J7(P) - F(C), 

giving the desired formula. 
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Let us return to Example 2. 1 to illustrate this result. 
Example 2.1 ( Cont.) 

We have already computed & 0 .81, H{K) — l.o an ^//(C) ft 1-85 Theorem 2.10 

tells us that #(K|C) ft 1-5+0,81—1.85 ft 0,40). This can be verified directly by applying 
the definition of conditional entropy, as follows. First, we need to compute the probabilities p(K.\j), 1 < i 

< 3, 1 <j < 4. This can be done using Bayes' Theorem, and the following values result: 

= 1 p(Jfs|l) = 0 p(Ki\l) = 0 

P(*i|2) " * p(K 2 \2) = i p(tf 3 |2) " 0 

p(Jifi|3) = 0 p(K 2 \3) - | p(K 3 |3) = i 

p(Jf!|4) = 0 p{K 2 \i) = 0 p(Jf s |4) = 1. 

Now we compute 

H (K|C) = i x 0 + x 059 + \ * 0,81 + ^x0 = 0.46, 
8 16 4 16 

agreeing with the value predicted by Theorem 2.10. 

Suppose (^i^^ ^7 ^) the cryptosystem being used, and a string of plaintext 

X i X2 ■ . ■ Z n 
is encrypted with one key, producing a string of ciphertext 

Recall that the basic goal of the cryptanalyst is to determine the key. We are looking at ciphertext-only 
attacks, and we assume that Oscar has infinite computational resources. We also assume that Oscar 
knows that the plaintext is a "natural" language, such as English. In general, Oscar will be able to rule 
out certain keys, but many "possible" keys may remain, only one of which is the correct key. The 
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remaining possible, but incorrect, keys are called spurious keys. 

For example, suppose Oscar obtains the ciphertext string WNAJW, which has been obtained by 
encryption using a shift cipher. It is easy to see that there are only two "meaningful" plaintext strings, 
namely river and arena, corresponding respectively to the possible encryption keys F (= 5) and W (= 
22). Of these two keys, one will be the correct key and the other will be spurious. (Actually, it is 
moderately difficult to find a ciphertext of length 5 for the Shift Cipher that has two meaningful 
decryptions; the reader might search for other examples.) 

Our goal is to prove a bound on the expected number of spurious keys. First, we have to define what we 
mean by the entropy (per letter) of a natural language L, which we denote H . H should be a measure of 

the average information per letter in a "meaningful" string of plaintext. (Note that a random string of 
alphabetic characters would have entropy (per letter) equal to log 26 ss 4.70 .) As a "first-order" 
approximation to H , we could take H(P). In the case where L is the English language, we get 
JT(P) 4. 19 by us i n g the probability distribution given in Table 1.1. 

Of course, successive letters in a language are not independent, and correlations among successive 
letters reduce the entropy. For example, in English, the letter "Q" is always followed by the letter "U." 
For a "second-order" approximation, we would compute the entropy of the probability distribution of all 

n 

digrams and then divide by 2. In general, define P to be the random variable that has as its probability 
distribution that of all «-grams of plaintext. We make use of the following definitions. 
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DEFINITION 2.6 Suppose L is a natural language. The entropy ofL is defined to be the quantity 

Hi — Inn 

and the redundancy ofL is defined to be 



Rl = \- 



REMARK H measures the entropy letter of the language L. A random language would have entropy 

PI . So the quantity R measures the fraction of "excess characters," which we think of as 
redundancy. 

In the case of the English language, a tabulation of a large number of digrams and their frequencies 

would produce an estimate for H(P ). is one estimate obtained in this way. One could 

continue, tabulating trigrams, etc. and thus obtain an estimate for H . In fact, various experiments have 

yielded the 

empirical result that 1.0 < H < 1.5. That is, the average information content in English is something like 
one to one and a half bits per letter! 

Using 1.25 as our estimate of H gives a redundancy of about 0.75. This means that the English 

language is 75% redundant! (This is not to say that one can arbitrarily remove three out of every four 
letters from English text and hope to still be able to read it. What it does mean is that it is possible to 
find a Huffman encoding of «-grams, for a large enough value of n, which will compress English text to 
about one quarter of its original length.) 

Given probability distributions on /C and T* U , we can define the induced probability distribution on 
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C the set of n-grams of ciphertext (we already did this in the case n = 1). We have defined P n to be a 

random variable representing an n-gmm of plaintext. Similarly, define C n to be a random variable 
representing an «-gram of ciphertext. 

Given y e C n , define 

= {K £ fC : 3x er,pp,(x) > O^kCx) = y}. 



That is, K(y) is the set of keys K for which y is the encryption of a meaningful string of plaintext of 
length n, i.e., the set of "possible" keys, given that y is the ciphertext. If y is the observed sequence of 
ciphertext, then the number of spurious keys is \K(y)\ - 1, since only one of the "possible" keys is the 
correct key. The average number of spurious keys (over all possible ciphertext strings of length n) is 

denoted by ^n. Its value is computed to be 

= £ p(y)(l*(y)l - i) 
= £ p(y)t^(y)l - £ P(y) 

= £ p{y)\K(y)\ - 1. 

From Theorem 2.10, we have that 

Jf (KIC*) - H(K) + H(P n ) - H(C n ). 

Also, we can use the estimate 

provided n is reasonably large. Certainly, 

H(C n ) <n[ 0&2 \C\, 

Then, if 1^1 = PI, it follows that 

H(K\C n } > H(K) - nR L \og 2 PI. (2A) 
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Next, we relate the quantity H(K\C ) to the number of spurious keys, &ti. We compute as follows: 

tf(K|C") = £ p{y)H (K|y) 

< £ p(y)]og 2 |A-(y)| 

yec- 

< iog 2 £ p{y)|*<y)| 

= log 2 (sn + 1), 

where we apply Jensen's Inequality (Theorem 2.5) with/(x) = log 2 x. Thus we obtain the inequality 

tf(K|C rt ) <bg 2 (3 fi + l). (2.2) 

Combining the two inequalities (2.1) and (2.2), we get that 

log 2 (? n + 1) > tf(K) - nR L \og 2 \V\. 

In the case where keys are chosen equiprobably (which maximizes H(K)), we have the following result. 
THEOREM 2.11 

Suppose (^j CifC t £\ *D) i s a cryptosystem where Y*\ = 1^1 and keys are chosen equiprobably. Let R L 
denote the redundancy of the underlying language. Then given a string of ciphertext of length n, where n 
is sufficiently large, the expected number of spurious keys, ^n, satisfies 

i > -19- -i 

The quantity / |P| " Ri — 1 approaches 0 exponentially quickly as n increases. Also, note that the 

n 

estimate may not be accurate for small values of n, especially since H(P )ln may not be a good estimate 
for H if n is small. 

We have one more concept to define. 
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DEFINITION 2.7 The unicity distance of a cryptosystem is defined to be the value ofn, denoted by n^ 

at which the expected number of spurious keys becomes zero; i.e., the average amount of ciphertext 
required for an opponent to be able to uniquely compute the key, given enough computing time. 

If we set = 0 in Theorem 2. 1 1 and solve for n, we get an estimate for the unicity distance, namely 

\og 2 |/C| 



no « 



fix,]og 2 |P| 



As an example, consider the Substitution Cipher. In this cryptosystem, 1^1 — ^6 and I I ' 
If we take R =0.75, then we get an estimate for the unicity distance of 

n 0 ps 88. 1/ (0.75 x 4.7) * 25. 

This suggests that, given a ciphertext string of length at least 25, (usually) a unique decryption is 
possible. 
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2.5 Product Cryptosystems 

Another innovation introduced by Shannon in his 1949 paper was the idea of combining cryptosystems 
by forming their "product." This idea has been of fundamental importance in the design of present-day 
cryptosystems such as the Data Encryption Standard, which we study in the next chapter. 

For simplicity, we will confine our attention in this section to cryptosystems in which C = V. 
cryptosystems of this type are called endomorphic. Suppose S j = {'P, 'P*fCl t £\i ) and 

= CP, P. &2 , £2, ^2) are two endomorphic cryptosystems which have the same plaintext (and 
ciphertext) spaces. Then the product of S and S , denoted by S x S , is defined to be the cryptosystem 

[V Z VX\ x £2 

A key of the product cryptosystem has the form K = (K , KJ, where 1 and K% G ks'2. The 

encryption and decryption rules of the product cryptosystem are defined as follows: For each K = (K , 
K ), we have an encryption rule e defined by the formula 

2 K 

and a decryption rule defined by the formula 

That is, we first encrypt x with ^^1, and then "re-encrypt" the resulting ciphertext with '. 
Decrypting is similar, but it must be done in the reverse order: 
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= X. 

Recall also that cryptosystems have probability distributions associated with their keyspaces. Thus we 

need to define the probability distribution for the keyspace /C of the product cryptosystem. We do this 
in a very natural way: 



■ ■■Li 

Figure 2.2 Multiplicative Cipher 

In other words, choose K using the distribution ] , and then independently choose K using the 
distribution 

Here is a simple example to illustrate the definition of a product cryptosystem. Suppose we define the 
Multiplicative Cipher as in Figure 2.2. 

Suppose M is the Multiplicative Cipher (with keys chosen equiprobably) and S is the Shift Cipher 

(with keys chosen equiprobably). Then it is very easy to see that M x S is nothing more than the Affine 
Cipher (again, with keys chosen equiprobably). It is slightly more difficult to show that S x M is also 
the Affine Cipher with equiprobable keys. 

Let's prove these assertions. A key in the Shift Cipher is an element , and the 

corresponding encryption rule is e (x) = x + AT mod 26. A key in the Multiplicative Cipher is an 

element 11 E ^2<3 such that gcd(a, 26) = 1 ; the corresponding encryption rule is e(x) = ax mod 26. 
Hence, a key in the product cipher M x S has the form (a, K), where 

€{a<K}( x ) = ax + K m °d 26. 

But this is precisely the definition of a key in the Affine Cipher. Further, the probability of a key in the 
Affine Cipher is 1/312 = 1/12 x 1/26, which is the product of the probabilities of the keys a and K, 
respectively. Thus M x S is the Affine Cipher. 
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Now let' s consider S x M. A key in this cipher has the form (K, a), where 

£{K t a)( x ) ~ a (* + K) = ax + a K mod 2G. 

Thus the key (K, a) of the product cipher S x M is identical to the key (a, aK) of the Affine Cipher. It 
remains to show that each key of the Affine Cipher arises with the same probability 1/312 in the 

product cipher S x M. Observe that aK = if and only if K = d l K^ (recall that gcd(<2, 26) = 1, so a has 

a multiplicative inverse). In other words, the key {a, K^) of the Affine Cipher is equivalent to the key (a 

l K , a) of the product cipher S x M. We thus have a bijection between the two key spaces. Since each 
key is equiprobable, we conclude that S x M is indeed the Affine Cipher. 

We have shown that M x S = S x M. Thus we would say that the two cryptosystems commute. But not 
all pairs of cryptosystems commute; it is easy to find counterexamples. On the other hand, the product 
operation is always associative: (S J x S 2 ) x S 3 = S J x (S 2 x S ). 

If we take the product of an (endomorphic) cryptosystem S with itself, we obtain the cryptosystem S x 

n 

S, which we denote by S . If we take the n-fold product, the resulting cryptosystem is denoted by S . We 

n 

call S an iterated cryptosystem. 

A cryptosystem S is defined to be idempotent if S = S. Many of the cryptosystems we studied in 
Chapter 1 are idempotent. For example, the Shift, Substitution, Affine, Hill, Vigenere and 
Permutation Ciphers are all idempotent. Of course, if a cryptosystem S is idempotent, then there is no 

point in using the product system S , as it requires an extra key but provides no more security. 

If a cryptosystem is not idempotent, then there is a potential increase in security by iterating several 
times. This idea is used in the Data Encryption Standard, which consists of 16 iterations. But, of 
course, this approach requires a non-idempotent cryptosystem to start with. One way in which simple 
non-idempotent cryptosystems can sometimes be constructed is to take the product of two different 
(simple) cryptosystems. 

REMARK It is not hard to show that if S and S 2 are both idempotent and they commute, then 8^82 
will also be idempotent. This follows from the following algebraic manipulations: 
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(Si x S 2 ) x (S x x S 2 ) = S, x (S* x Si) x Sj 

- Si x (S, x S 2 ) x S 2 
= (Si x Si) x (S 2 x S 2 ) 
= S, x S 2 . 

(Note the use of the associative property in this proof.) 

So, if and S 2 are both idempotent, and we want S x S 2 to be non-idempotent, then it is necessary that 
S, and S„ not commute. 

1 2 

Fortunately, many simple cryptosystems are suitable building blocks in this type of approach. Taking the 
product of substitution-type ciphers with permutation-type ciphers is a commonly used technique. We 
will see a realization of this in the next chapter. 
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2.6 Notes 



The idea of perfect secrecy and the use of entropy techniques in cryptography was pioneered by 
Shannon [SH49] . Product cryptosystems are also discussed in this paper. The concept of entropy was 
defined by Shannon in [SH48]. Good introductions to entropy, Huffman coding and related topics can be 
found in the books by Welsh [WE88] and Goldie and Pinch [GP91]. 



The results of Section 2.4 are due to Beauchemin and Brassard [BB88], who generalized earlier results 
of Shannon. 



Exercises 



2.1 Let n be a positive integer. A Latin square of order n is an n x n array L of the integers 1, 
n such that every one of the n integers occurs exactly once in each row and each column of L. An 
example of a Latin square of order 3 is as follows: 



pn 


2 


3 


3 


1 


2 


2 


3 


1 



Given any Latin square L of order n, we can define a related cryptosystem. Take 

= ^ ~ ^ ~ {!» ■"> n }. For 1 < i < n, the encryption rule e. is defined to be e.(j) = L(i, j). 
(Hence each row of L gives rise to one encryption rule.) 

Give a complete proof that this Latin square cryptosystem achieves perfect secrecy. 



2.2 Prove that the Affine Cipher achieves perfect secrecy. 

2.3 Suppose a cryptosystem achieves perfect secrecy for a particular plaintext probability 
distribution p . Prove that perfect secrecy is maintained for any plaintext probability distribution. 

2.4 Prove that if a cryptosystem has perfect secrecy and 

\K\ = |C| = \p\ 

, then every 
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ciphertext is equally probable. 

k k + i 

2.5 Suppose X is a set of cardinality n, where 2 < n < 2 , and p(x) = l/n for all xeX. 

(a) Find a prefix-free encoding of X, say/, such that ^(/) = k + 2 - 2 k * l fn 

HINT Encode 2 - n elements of X as strings of length k, and encode the remaining 
elements as strings of length k + 1. 

(b) Illustrate your construction for n = 6. Compute «(/) and H(X) in this case. 

2.6 Suppose X = {a, b, c, d, e] has the following probability distribution: p(a) = .32, p(b) = .23, p 
(q) = .20, p(d) = .15 and = .10. Use Huffman's algorithm to find the optimal prefix-free 
encoding of X. Compare the length of this encoding to H(X). 

2.7 Prove that H(X, Y) = tf(Y) + H(X\Y). Then show as a corollary that H(X\Y) < H(X), with 
equality if and only if X and Y are independent. 

2.8 Prove that a cryptosystem has perfect secrecy if and only if H(P\C) = H(P). 

2.9 Prove that, in any cryptosystem, H(K\C) > //(PIC). (Intuitively, this result says that, given a 
ciphertext, the opponent' s uncertainty about the key is at least as great as his uncertainty about 
the plaintext.) 

2.10 Consider a cryptosystem in which 

P = [<t,b,c} t K ■■ {Ki , tfs, Kz} mdC = { 1 f 2, 3 t 4 } Suppose the encryption matrix is as 
follows: 





a h c 




\ 2 3 

2 3 4 

3 4 1 



Given that keys are chosen equiprobably, and the plaintext probability distribution is 

pp(tt) - 1/2, pp(b) = 1/3, pp{c) = 1/6 compute H(P), //(C), H(K), H(K\C) and //(PIC). 

2.11 Compute //(KIC) and //(KIP, C) for the Affine Cipher. 

2.12 Consider a Vigenere Cipher with keyword length m. Show that the unicity distance is 1//? L , 
where R L is the redundancy of the underlying language. (This result is interpreted as follows. If 
n Q denotes the number of alphabetic characters being encrypted, then the "length" of the plaintext 
is njm, since each plaintext element consists of m alphabetic characters. So, a unicity distance of 
l/R L corresponds to a plaintext consisting of mlR alphabetic characters.) 

2.13 Show that the unicity distance of the Hill Cipher (with an m x m encryption matrix) is less 
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2 

than mlR L (Note that the number of alphabetic characters in a plaintext of this length is m IR .) 

2.14 A Substitution Cipher over a plaintext space of size n has 

\k\ = 

"* Stirling's formula 

gives the following estimate for n ! : 

(a) Using Stirling's formula, derive an estimate of the unicity distance of the 
Substitution Cipher. 

(b) Let m > 1 be an integer. The m-gram Substitution Cipher is the Substitution 

m 

Cipher where the plaintext (and ciphertext) spaces consist of all 26 m-grams. Estimate 
the unicity distance of the m-gram Substitution Cipher if R = 0.75. 

Li 

2.15 Prove that the Shift Cipher is idempotent. 

2.16 Suppose Sj is the Shift Cipher (with equiprobable keys, as usual) and S 2 is the Shift 

Cipher where keys are chosen with respect to some probability distribution P K (which need not 
be equiprobable). Prove that S 1 x S 2 = S . 

2.17 Suppose S and S 2 are Vigenere Ciphers with keyword lengths respectively, where 
m > m . 

1 2 

(a) If m I m , then show that S x S = S . 

2 1 2 11 

(b) One might try to generalize the previous result by conjecturing that S 2 x = S , 
where S 3 is the Vigenere Cipher with keyword length lcm(m i? m 2 ). Prove that this 
conjecture is false. 

HINT If TVT-l ^ 0 mod m^, then the number of keys in the product cryptosystem S 2 x S 
is than the number of keys in S . 
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Chapter 3 

The Data Encryption Standard 

3.1 Introduction 

On May 15, 1973, the National Bureau of Standards published a solicitation for cryptosystems in the 
Federal Register. This lead ultimately to the development of the Data Encryption Standard, or DES, 
which has become the most widely used cryptosystem in the world. DES was developed at IBM, as a 
modification of an earlier system known as LUCIFER. DES was first published in the Federal Register 
of March 17, 1975. After a considerable amount of public discussion, DES was adopted as a standard 
for "unclassified" applications on January 15, 1977. DES has been reviewed by the National Bureau of 
Standards (approximately) every five years since its adoption. Its most recent renewal was in January 
1994, when it was renewed until 1998. It is anticipated that it will not remain a standard past 1998. 

3.2 Description of DES 

A complete description of DES is given in the Federal Information Processing Standards Publication 46, 
dated January 15, 1977. DES encrypts a plaintext bitstring x of length 64 using a key K which is a 
bitstring of length 56, obtaining a ciphertext bitstring which is again a bitstring of length 64. We first 
give a "high-level" description of the system. 

The algorithm proceeds in three stages: 

1. Given a plaintext x, a bitstring x Q is constructed by permuting the bits of x according to a 
(fixed) initial permutation IP. We write x Q = IP (x) = L Q R Q , where L Q comprises the first 32 bits of 
x Q and R the last 32 bits. 

2. 16 iterations of a certain function are then computed. We compute L.R., 
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Figure 3.1 One round of DES encryption 
1 < i < 16, according to the following rule: 

Li — Ri-\ 

where © denotes the exclusive-or of two bitstrings. /is a function that we will describe later, and 
K 2 , . . . , K are each bitstrings of length 48 computed as a function of the key K. (Actually, 

each K. is a permuted selection of bits from K.) K^, . . . , K comprises the key schedule. One 

round of encryption is depicted in Figure 3.1 

3. Apply the inverse permutation IP" 1 to the bitstring ^ 16 ^ 16 > obtaining the ciphertext y. That is, y 
= W l (R A L\ Note the inverted order of L and /? . 

16 16 16 16 

The function /takes as input a first argument A, which is a bitstring of length 32, and a second argument 
/ that is a bitstring of length 48, and produces as output a bitstring of length 32. The following steps are 
executed. 

1. The first argument A is "expanded" to a bitstring of length 48 according to a fixed expansion 
function E. E(A) consists of the 32 bits from A, permuted in a certain way, with 16 of the bits 
appearing twice. 



. _ j — _, ~~7~ 



Figure 3.2 The DES /function 

2. Compute E(A) © / and write the result as the concatenation of eight 6-bit strings B = 
BBBBBBBB. 

1 2 3 4 5 6 7 8 
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3. The next step uses eight S-boxes S , . . . , S . Each S. is a fixed 4 x 16 array whose entries 

1 o I 

come from the integers 0 - 15. Given a bitstring of length six, say B = bbbbbb^, we compute 

y 123456 

S{B) as follows. The two bits b^b^ determine the binary representation of a row r of S. (0 < r < 
3), and the four bits b^^bjj^ determine the binary representation of a column c of S. (0 < c < 15). 
Then S (B ) is defined to be the entry S.(r, c), written in binary as a bitstring of length four. 
(Hence, each S. can be thought of as a function that accepts as input a bitstring of length two and 
one of length four, and produces as output a bitstring of length four.) In this fashion, we compute 

C=S.(B),l<j<8. 

j j j 

4. The bitstring C = C C C C C C C C of length 32 is permuted according to a fixed 

12345678 

permutation P. The resulting bitstring P(C) is defined to be f(A, J). 

The/function is depicted in Figure 3.2. Basically, it consists of a substitution (using an S-box) followed 
by the (fixed) permutation P. The 16 iterations off comprise a product cryptosystem, as described in 
Section 2.5. 
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In the remainder of this section, we present the specific functions used in DES. 
The initial permutation IP is as follows: 



IP 


58 


50 


42 


34 


26 


18 


10 


2 


60 


52 


44 


36 


28 


20 


12 


4 


62 


54 


46 


38 


30 


22 


14 


6 


64 


56 


48 


40 


32 


24 


16 


8 


57 


49 


41 


33 


25 


17 


9 


1 


59 


51 


43 


35 


27 


19 


11 


3 


61 


53 


45 


37 


29 


21 


13 


5 


63 


55 


47 


39 


31 


23 


15 


7 



This means that the 58th bit of x is the first bit of IP(x); the 50th bit of x is the second bit of IP(x), etc. 
The inverse permutation IP" 1 is: 



IP 1 



40 


8 


48 


16 


56 


24 


64 


32 


39 


7 


47 


15 


55 


23 


63 


31 


38 


6 


46 


14 


54 


22 


62 


30 


37 


5 


45 


13 


53 


21 


61 


29 


36 


4 


44 


12 


52 


20 


60 


28 


35 


3 


43 


11 


51 


19 


59 


27 


34 


2 


42 


10 


50 


18 


58 


26 
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33 


1 


41 


9 


49 


17 


57 


25 



The expansion function E is specified by the following table: 



E bit-selection table 


32 


1 


2 


3 


4 


5 


4 


5 


6 


7 


8 


9 


8 


9 


10 


ll 


12 


13 


12 


13 


14 


15 


16 


17 


16 


17 


18 


19 


20 


21 


20 


21 


22 


23 


24 


25 


24 


25 


26 


27 


28 


29 


28 


29 


30 


31 


32 


1 
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The eight S-boxes and the permutation P are now presented: 



*1 


14 
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13 
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15 


11 


8 
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10 


6 


12 


5 


9 
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7 
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15 


7 


4 


14 


2 


13 


1 


10 


6 


12 


11 


9 


5 


3 


8 


4 


1 


14 


8 


13 


6 


2 


11 


15 


12 


9 


7 


3 


10 


5 


0 


15 


12 


8 


2 


4 


9 


1 


7 


5 


11 


3 


14 


10 


0 


6 


13 






15 


1 


8 
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11 
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12 
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5 


10 


3 
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14 
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9 


3 
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Finally, we need to describe the computation of the key schedule from the key K. Actually, Kis a 
bitstring of length 64, of which 56 bits comprise the key and 8 bits are parity-check bits (for error- 
detection). The bits in positions 8, 16, . . . , 64 are defined so that each byte contains an odd number of 
l's. Hence, a single error can be detected within each group of 8 bits. The parity-check bits are ignored 
in the computation of the key schedule. 

1. Given a 64-bit key K, discard the parity-check bits and permute the remaining bits of K 
according to a (fixed) permutation PC-1. We will write PC-1 (K) = C Q D Q , where C Q comprises the 

first 28 bits of PC-1(£) and D the last 28 bits. 

2. For i ranging from 1 to 16, compute 

d = LSi(Ci-\) 

and K. = PC-2(C.D). LS. represents a cyclic shift (to the left) of either one or two positions, 

depending on the value of i: shift one position if i = 1, 2, 9 or 16, and shift two positions 
otherwise. PC-2 is another fixed permutation. 

The key schedule computation is depicted in Figure 3.3. 

The permutations PC-1 and PC-2 used in the key schedule computation are as follows: 
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Figure 3.3 Computation of DES key schedule 
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We now display the resulting key schedule. As mentioned above, each round uses a 48-bit key 
comprised of 48 of the bits in K. The entries in the tables below refer to the bits in K that are used in the 
various rounds. 



Round 1 
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28 


39 


54 


37 


4 


47 


30 


5 


53 


23 


29 


61 


21 


38 


63 


15 


20 


45 


14 


13 


62 


55 


31 



Round 2 


2 


43 


26 


52 


41 


9 


25 


49 


59 


1 


11 


34 


60 


27 


18 


17 


36 


50 


51 


58 


57 


19 


10 


33 


14 


20 


31 


46 


29 


63 


39 


22 


28 


45 


15 


21 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch03/075-078.html (2 of 5)12/6/2003 9: 17:45 AM 



Cryptography: Theory and Practice:The Data Encryption Standard 



53 


13 


30 


55 


7 


12 


37 


6 


5 


54 


47 


23 




Round 3 


51 


27 


10 


36 


25 


58 


9 


33 


43 


50 


60 


18 


44 


11 


2 


1 


49 


34 


35 


42 


41 


3 


59 


17 


61 


4 


15 


30 


13 


47 


23 


6 


12 


29 


62 


5 


37 


28 


14 


39 


54 


63 


21 


53 


20 


38 


31 


7 




Round 4 


35 


11 


59 


49 


9 


42 


58 


17 


27 


34 


44 


2 


57 


60 


51 


50 


33 


18 


19 


26 


25 


52 


43 


1 


45 


55 


62 


14 


28 


31 


7 


53 


63 


13 


46 


20 


21 


12 


61 


23 


38 


47 


5 


37 


4 


22 


15 


54 




Round 5 


19 


60 


43 


33 


58 


26 


42 


1 


11 


18 


57 


51 


41 


44 


35 


34 


17 


2 


3 


10 


9 


36 


27 


50 


29 


39 


46 


61 


12 


15 


54 


37 


47 


28 


30 


4 


5 


63 


45 


7 


22 


31 


20 


21 


55 


6 


62 


38 




Round 6 


3 


44 


27 


17 


42 


10 


26 


50 


60 


2 


41 


35 


25 


57 


19 


18 


1 


51 


52 


59 


58 


49 


11 


34 


13 


23 


30 


45 


63 


62 


38 


21 


31 


12 


14 


55 


20 


47 


29 


54 


6 


15 


4 


5 


39 


53 


46 


22 




Round 7 


52 


57 


11 


1 


26 


59 


10 


34 


44 


51 


25 


19 


9 


41 


3 


2 


50 


35 


36 


43 


42 


33 


60 


18 


28 


7 


14 


29 


47 


46 


22 


5 


15 


63 


61 


39 


4 


31 


13 


38 


53 


62 


55 


20 


23 


37 


30 


6 
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Round 8 



36 


41 


60 


50 


10 


43 


59 


18 


57 


35 


9 


3 


58 


25 


52 


51 


34 


19 


49 


27 


26 


17 


44 
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12 


54 


61 


13 


31 


30 


6 


20 


62 


47 


45 


23 


55 


15 


28 


22 


37 


46 


39 


4 


7 


21 


14 


53 




Round 9 


57 


33 


52 


42 


2 


35 


51 


10 


49 


27 


1 


60 


50 


17 


44 


43 


26 


11 


41 


19 


18 


9 


36 


59 


4 


46 


53 


5 


23 


22 


61 


12 


54 


39 


37 


15 


47 


7 


20 


14 


29 


38 


31 


63 


62 


13 


6 


45 




Round 10 


41 


17 


36 


26 


51 


19 


35 


59 


33 


11 


50 


44 


34 


1 


57 


27 


10 


60 


25 


3 


2 


58 


49 


43 


55 


30 


37 


20 


7 


6 


45 


63 


38 


23 


21 


62 


31 


54 


4 


61 


13 


22 


15 


47 


46 


28 


53 


29 




Round 11 


25 


1 


49 


10 


35 


3 


19 


43 


17 


60 


34 


57 


18 


50 


41 


11 


59 


44 


9 


52 


51 


42 


33 


27 


39 


14 


21 


4 


54 


53 


29 


47 


22 


7 


5 


46 


15 


38 


55 


45 


28 


6 


62 


31 


30 


12 


37 


13 




Round 12 


9 


50 


33 


59 


19 


52 


3 


27 


1 


44 


18 


41 


2 


34 


25 


60 


43 


57 


58 


36 


35 


26 


17 


11 


23 


61 


5 


55 


38 


37 


13 


31 


6 


54 


20 


30 


62 


22 


39 


29 


12 


53 


46 


15 


14 


63 


21 


28 



Round 13 
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Round 14 



42 


18 
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52 


49 


36 


60 
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41 


51 
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58 
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26 
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Round 15 
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Round 16 


18 


59 
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Decryption is done using the same algorithm as encryption, starting with y as the input, but using the key 
schedule K , . . . , in reverse order. The output will be the plaintext x. 

3.2.1 An Example of DES Encryption 

Here is an example of encryption using the DES. Suppose we encrypt the (hexadecimal) plaintext 

0123456789ABCDEF 

using the (hexadecimal) key 

133457799BBCDFF1 . 
The key, in binary, without parity-check bits, is 

00010010011010010101101111001001101101111011011111111000. 
Applying IP, we obtain L Q and R (in binary): 



^0 



n ooi i ooooooooooi i ooi i ooi i u x m 

1111G000101010101111000010101G10 



The 16 rounds of encryption are then performed, as indicated. 



OH llOlOCOOlOlOlQlOlOlOlOl I HOlOMOlOlOlOlOlOlOl 
0001101 1000Q00101 1101 11111111 100011 100OO01 1 10010 
onouooi 0001011 HOlllO lOlOQOOl lOOHOOl OlOO 1 OOI 1 1 
QWi 1 1001 000OO10IO1 10101100 101 1 1 
00100D: 10100 IG101OIO10O11D11 1011 
1 1 101 11 1 01 0O1O1 00 1100 10101 0001 00 



E(Ri) = 01 1101011 11010100101 0100001 1 QO00 1 0101 010O0001 001 

K* = oiuiooiioioiiioiioiiODiiioiioiiiinoinoiiHonioi 
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S-bo\ outputs 



Oil 101011 11Q10100101 0100001 100001010101000001001 
01 11 100110101110110110011101 101 11 1001001 IH00101 
00001 lOOOlOOOlOOlOOOllOlll lOlOl 101 1O0011111011O0 

ii i noooi loiooooooi noioiomn 10 

00 1 1 1 10O1 0 1 0 101 1 1 00001 1 1 1O10QO1 1 
11001 lOOOOOOOOOlOl 1 101 1 10000)001 



E(H 3 ) 
S box outputs 



11 tOO 101 10000000 0000001 01 Oil 101O1 1 lOLOOOOlOlOOM 
O1O10W1 1111 1 1001 000 10 100 10000 101 10011 1 1 1001 1001 

101100000111110010001000111110000010011111001010 
ooiooiiioooiooooiiiooooioiioiiii 
01001101000101100110111010110000 
101000100101110000001011111.10100 



K4 

5-faffic output* 



01010000010000101 1 1 1 looooooooioiou mi uoioiooi 
0 1 1 100 1 0 1 0 101 10 1 1 101 01 101 1 01 10 1 1001 1 01010001 1101 

00 1000 1 0 1 1 101 1 1 1 00 10 1 1 101 101 1 1 1 001001 0101 0 1 10 1 00 
uoiooooi 111011011001 1111001 11010 

lOlllOllOOlOOOllOlllDlllOlOOllOO 
0 1 1 10 L 1 1 00 1 000 1 00OO000O00 1 0001 0 1 



S-bt>* output* 



101110101110100100000100000000000000001000001010 
01 1 1 1 loot 1 101 100000001 11 1 11010110101001 110101000 
noooiiooooooioiooooooiiiiioioiioioiooonoioooio 
01010000110010000011000111101011 

001 01 0000001001 1 10101 101 1 100001 1 
1000101001 0011 11 1010011000110111 



S-tlQl QUI pULS 



1 1OO0101O1OOO0100101 llllllOlOOOOllOOOOOllfllOllll 
OllOOOl 11O10O101QO1111 10O101000O01 11101 100 101 111 
101001 1 0 1 1 1001 1 1 0 1 lOOQDl 100000001 0 1 1 10 1 0 1 o 000000 

0100000 1 1 1 1 1001 1 0 1 00 1 1 00001 1 1 1 01 
10011 1 10010001 01 1 1001 10100101 100 
1 1 1 0100 10 1 1001 1 1 1 1 00 1 1 01 0 1 101 001 



E[R t ) 
S-box outputs 



llllOlOlOOlOlOllOOflOlllllllOOlOllOlOlOUOlOlOOll 
lllOllOOlOOOOlOOlOIlOllllIllOHOOOOl 1000101 11 100 

0001 1001 10101 linoiuooooou 1001 1101 1001 niiouu 
0001000001 noioioiooooooioioi 101 

1 0001 1OU000001O10001 1100001001 1 1 
)1 1001001010101 1101000010000 



E[Ri}& Kit 
S-bax oulputs 

f{R7,K B ) 



OOOOOOOOllOOOOlOOlOlOlOlOlOlllllOIOOOOOOlOlOOOOO 

11110111 10001010001 1 10101 1000001001 11011 11111011 
llllOlllOlOOLOOOOllOl 111100111100111101 10101 1011 

01101 lOOOOOl L 00001 1 1 110010101 1. 10 

00111 100000011 10100001 1011 1 11001 
1 1010 1 0 10 1 10100 10 1 00 1 0 1 1 100 1 MOO 



E(Rs) = OllOlOlOlOlOlOliOlOlOOlOlOlOOlOlOlllllOOlOlOOOOl 
Kg = 1 1 1OOU0Q1 lOllOlllllOiOllH 101 101 11 1001 11 10000001 
E(Rs)BKq = lOOOlOlOOll 10000 1011 1001 0100 1000 1001 1 Ol 1 00 1 00000 

file:///DIMy%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch03/078-083.html (2 of 6)12/6/2003 9:17:49 AM 



Cryptography: Theory and Practice:The Data Encryption Standard 

= lllOOOOQl 101101 IlllOiQlll 1 101 101 11 10011 llOOOOOOl 
= lOOOlOlOO mOOOO 101 11 001 010010001001 10 11001 00000 

0001 000 1 0000 1 1000 1 010111 01 1 101 1 1 

= 00 10001000 1101 100 1 J 1 1 1 0001 101010 
= 0010O10O01 1 1 1 1001 10001 100 i 1 1 1010 



5-hoK outputs 
L-ia — R& 



K r ]u 

S-box outputs 
La — Rig 



0001 00O0 L000001 1 11113 00101 1OD0001 100O01 1 1 1 110100 
lUllOCOUUlOOllOlOOOULlOlllOlOOlOOOllOOlOOllll 

10 100001 01 110000 101 111 101 101 101010000101 1011 1011 
1101101 OOOOOOlOOO 1 0 1 OOlOD 1 1 10101 
01 1000101O1 U 1001001110000100010 
LOLlOlllllOlOlOlllOlOllllOHOOlO 



S-boi outputs 
Li:- — fin 



oioiioioiiiiiiioioioioninoioioLmiioiioiooioi 
001000010101 11111101D01 1 1101 1 1 101 101001 1 10000110 

01 1 1 101 1 lOlOOOOlO llll 00000 1 10 1 000010 1 1 1 000 1 OOOJ 1 
0111001 100000101 1 LOIO00 1 0000000 1 

1 1 1 0000 1 00000 1 001111101 000000010 

1 100010101 1 1 100000111100011 1 1000 



E{Rll) 

S-boH oulpuls 
in — R\2 



011000001010101 1111100000001 1 1 1 1 looocouiiiioooi 

O111O1O1Q11100O11111O1O11001010U01100U1111O1OO1 

00010101 1 101 10 J 000000101 LOOO 1 0 1 1 1 1 1 00 1000001 1000 

01 1 1 1 01 1 1 0001 01 1 001 001 1 000 I ] 0 1 0 1 

11000010011010001100111111101010 

01 I 10101 1 0 1 1 1 1 0 1000 1 lOODOlO 1 1 poo 



S-box outputs 

— R\3 



OOUlOlOlOllllOll 11 1101010001 11 10000001011 1100DO 
lOOlOUlllOOOlOli lOlOOOl 1 1 1 1 1010101 1 1010010OOO01 

10101101011110000010101101 110101 101 11000101 10001 
100110101 1010001 1000101 101001 1 1 1 
1 101 1 101 101 1 101 1 00101001 00100010 
0001 I00OI 100001 I0OOIO3O1O1O11010 



S-box outputs 

f{Rl3>Kn) 



ooooiiiioooioi 1000000110100010101010101011110100 
OlOlllllOlOOOOlllOllOl 1111 1 100101 1 10011 100111010 
01010000010 10101101 1000 lOiiiiQOOOiooiiomooiiio 

OUODLOODlllIOOllOOllOlOl 1 1 10001 

I 01 101 1 1001 10001 10001 11001010101 
1 100001010D01 100100101 1 00000 1101 



E{Rn)®Kis 
output?, 

tie = Jiis 



1 1 1 oooooo 10101000 10 1 1 oo 1 n 1 oo 1 01 on ooaoooo i o i 101 1 
101 iiiiiiooiooDiioooi 101001 1 1 1010011111100001010 

0101 111 lllOOOlOll 10 L 0100C 11 1011111 11111 101010001 

1 0 1 100 101 1 1010001000 no 1 00 1 1 1 100 

0101 1011 lOOOOOOlOOlOOl 1 101 101 110 

0 10000 1 101 00001000 u 00 1 000 1 1 0 1 00 



S-buxoutpuls 

ft.M 



001 000000 1 1 01 01 000000 100000 1 loiomoooooi 1 0101000 
llOOlOllOOllllOllOOOlOllOOOOlllOOOOlOllliniOlOl 

1 1 ioiO) lOioioa 1 1 looon 1100010100010101 1 ooi oi not 

1010011 1 1000001 L001 001 0000101001 

1 100 1 0001 1 0000000 100 1 1 1 1 1 00 1 1 000 
nnnnioiooinoiiooi 101 loonooiflioi 
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f(R\>, = llOOHJDDJlBDODWffllOOlllllOOllOOO 

R l6 = OOOOlOlOOlOOllOOllOllOOllQOlOKJl 



Finally, applying IP" to R^L^, we obtain the ciphertext, which (in hexadecimal form) is: 

85E813540F0AB405 . 

3.3 The DES Controversy 

When DES was proposed as a standard, there was considerable criticism. One objection to DES 
concerned the S-boxes. All computations in DES, with the exception of the S-boxes, are linear, e.g., 
computing the exclusive-or of two outputs is the same as forming the exclusive-or of two inputs and 
then computing the output. The S-boxes, being the non-linear component of the cryptosystem, are vital 
to its security (We saw in Chapter 1 how linear cryptosystems, such as the Hill Cipher, could easily be 
cryptanalyzed by a known plaintext attack.) However, the design criteria of the S-boxes are not 
completely known. Several people have suggested that the S-boxes might contain hidden "trapdoors" 
which would allow the National Security Agency to decrypt messages while maintaining that DES is 
"secure." It is, of course, impossible to disprove such an assertion, but no evidence has come to light that 
indicates that trap-doors in DES do in fact exist. 

In 1976, the National Security Agency (NSA) asserted that the following properties of the S-boxes are 
design criteria: 

PO Each row of each S-box is a permutation of the integers 0, . . . , 15. 
PI No S-box is a linear or affine function of its inputs. 

P2 Changing one input bit to an S-box causes at least two output bits to change. 

P3 For any S-box and any input x, S(x) and S(x © 001 100) differ in at least two bits (here x is a 

bitstring of length 6). 

Two other properties of the S-boxes were designated as "caused by design criteria" by NSA. 

P4 For any S-box, for any input jc, and for e,fe {0, 1 }, S(x) * S(x © 1 le/00). 
P5 For any S-box, if one input bit is fixed, and we look at the value of one fixed output bit, the 
number of inputs for which this output bit equals 0 will be "close to" the number of inputs for 
which the output bit equals 1 . (Note that if we fix the value of either the first or sixth input bit, 
then 16 inputs will cause a particular output bit to equal 0 and 16 inputs will cause the output to 
equal 1. For the second through fifth input bits, this will not be true, but the resulting distribution 
will be "close to" uniform. More precisely, for any S-box, if the value of any input bit is fixed, 
then the number of inputs for which any fixed output bit has the value 0 (or 1) is always between 
13 and 19.) 
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It is not publicly known if further design criteria were used in the construction of the S-boxes. 

The most pertinent criticism of DES is that the size of the keyspace, 2 56 , is too small to be really secure. 
Various special-purpose machines have been proposed for a known plaintext attack, which would 
essentially perform an exhaustive search for the key. That is given a 64-bit plaintext x and corresponding 
ciphertext y, every possible key would be tested until a key K such that e (x) = y is found (and note that 

there may be more than one such key K). 

As early as 1977, Diffie and Hellman suggested that one could build a VLSI chip which could test 10 6 

keys per second. A machine with 10 6 chips could search the entire key space in about a day. They 
estimated that such a machine could be built for about $20,000,000. 

At the CRYPTO '93 Rump Session, Michael Wiener gave a very detailed design of a key search 
machine. The machine is based on a key search chip which is pipelined, so that 16 encryptions take 

place simultaneously. This chip can test 5 x 10 keys per second, and can be built using current 
technology for $10.50 per chip. A frame consisting of 5760 chips can be built for $100,000. This would 
allow a DES key to be found in about 1.5 days on average. A machine using 10 frames would cost 
$1,000,000, but would reduce the average search time to about 3.5 hours. 

3.4 DES in Practice 

Even though the description of DES is quite lengthy, it can be implemented very efficiently, either in 
hardware or in software. The only arithmetic operations to be performed are exclusive-ors of bitstrings. 
The expansion function E, the S-boxes, the permutations IP and P, and the computation of K^, 

K can all be done in constant time by table look-up (in software) or by hard-wiring them into a circuit. 

Current hardware implementations can attain extremely fast encryption rates. Digital Equipment 
Corporation announced at CRYPTO '92 that they have fabricated a chip with 50K transistors that can 
encrypt at the rate of 1 Gbit/second using a clock rate of 250 MHz! The cost of this chip is about $300. 
As of 1991, there were 45 hardware and firmware implementations of DES that had been validated by 
the National Bureau of Standards. 

One very important application of DES is in banking transactions, using standards developed by the 
American Bankers Association. DES is used to encrypt personal identification numbers (PINs) and 
account transactions carried out by automated teller machines (ATMs). DES is also used by the Clearing 

12 

House Interbank Payments System (CHIPS) to authenticate transactions involving over $1.5 x 10 per 
week. 

DES is also widely used in government organizations, such as the Department of Energy, the Justice 
Department, and the Federal Reserve System. 
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3.4.1 DES Modes of Operation 

Four modes of operation have been developed for DES: electronic codebook mode (ECB), cipher 
feedback mode (CFB), cipher block chaining mode (CBC) and output feedback mode (OFB). 

ECB mode corresponds to the usual use of a block cipher: given a sequence xx ... of 64-bit plaintext 
blocks, each x. is encrypted with the same key K, producing a string of ciphertext blocks, y y . . .. 

In CBC mode, each ciphertext block y. is x-ored with the next plaintext block x before being 
encrypted with the key K. More formally, we start with a 64-bit initialization vector IV, and define y Q = 
IV. Then we construct y , y , . . . from the rule y. = e (y © x), i>l. The use of CBC mode is depicted 

12 i K j-l i 

in Figure 3.4. 



H CD 










■"10 j 


r, 1 
















|*T] 


f^l 




— w ~{. "* j 











Figure 3.4 CBC mode 
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Figure 3.5 CFB mode 



In OFB and CFB modes, a keystream is generated which is then x-ored with the plaintext (i.e., it 
operates as a stream cipher, cf. Section 1.1.7). OFB is actually a synchronous stream cipher: the 
keystream is produced by repeatedly encrypting a 64-bit initialization vector, IV. We define z Q = IV, and 

then compute the keystream z z . . . from the rule z. = eiz ,), i > 1. The plaintext sequence xx„ ... is 

12 i K j- 1 12 

then encrypted by computing y . = x. ® z ., i > 1. 

In CFB mode, we start with v Q = IV (a 64-bit initialization vector) and we produce the keystream 
element z. by encrypting the previous ciphertext block. That is, z. = e v (y ),i>l. As in OFB mode, y. = 

I I K j-\ I 

x. © z., i > 1. The use of CFB is depicted in Figure 3.5 (note that the DES encryption function e is used 

i i K 

for both encryption and decryption in CFB and OFB modes). 

There are also variations of OFB and CFB mode called k-bit feedback modes (1 < k < 64). We have 
described the 64-bit feedback modes here. 1-bit and 8-bit feedback modes are often used in practice for 
encrypting data one bit (or byte) at a time. 

The four modes of operation have different advantages and disadvantages. In ECB and OFB modes, 
changing one 64-bit plaintext block, x., causes the corresponding ciphertext block, v., to be altered, but 

other ciphertext blocks are not affected. In some situations this might be a desirable property. For 
example, OFB mode is often used to encrypt satellite transmissions. 

On the other hand, if a plaintext block x. is changed in CBC and CFB modes, then y and all subsequent 

ciphertext blocks will be affected. This property means that CBC and CFB modes are useful for 
purposes of authentication. More specifically, these modes can be used to produce a message 
authentication code, or MAC. The MAC is appended to a sequence of plaintext blocks, and is used to 
convince Bob that the given sequence of plaintext originated with Alice and was not tampered with by 
Oscar. Thus the MAC guarantees the integrity (or authenticity) of a message (but it does not provide 
secrecy, of course). 

We will describe how CBC mode is used to produce a MAC. We begin with the initialization vector IV 
consisting of all zeroes. Then construct the ciphertext blocks y , . . . , y with key K, using CBC mode. 

Finally, define the MAC to be y . Then Alice transmits the sequence of plaintext blocks, x . . . x , along 

with the MAC. When Bob receives x , . . . x , he can reconstruct v , . . . , y using the (secret) key K, and 

in i n 

verify that y is the same as the MAC that he received. 

n 

Note that Oscar cannot produce a valid MAC since he does not know the key K being used by Alice and 
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Bob. Further, if Oscar intercepts a sequence of plaintext blocks x . . . x , and changes one or more of 
them, then it is highly unlikely that Oscar can change the MAC so that it will be accepted by Bob. 

It is often desirable to combine authenticity and secrecy. This could be done as follows: Alice first uses 
key K to produce a MAC for x . . . x . Then she defines x to be the MAC, and she encrypts the 

1 In n +\ 

sequence x . . . x using a second key, K , yielding y . . . y . When Bob receives y . . . y , he first 
decrypts (using K^) and then checks that x +J is the MAC for x^. . . x^ using 

Alternatively, Alice could use K to encrypt x j . . . x , obtaining y . . . y , and then use to produce a 
MAC y for y ... y . Bob would use K to verify the MAC, and then use K to decrypt y . . . y . 

jrt I J. J. T\ 2u J. -L T% 
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3.5 A Time-memory Trade-off 



In this section, we describe an interesting time-memory tradeoff for a chosen plaintext attack. Recall that 
in a chosen plaintext attack, Oscar obtains a plaintext-ciphertext pair produced using the (unknown) key 
K. So Oscar has x and y, where y = e (x), and he wants to determine K. 



A feature of this time-memory trade-off is that it does not depend on the "structure" of DES in any way. 
The only aspects of DES that are relevant to the attack are that plaintexts and ciphertexts have 64 bits, 
while keys have 56 bits. 



.1 ! > 


'■ ii - 


r - >..\ i. 1 




A *-r :i ■- 






- JWC-oj -i 


■- Jtln.ll 



Figure 3.6 Computation of X (i, j) 



We have already discussed the idea of exhaustive search: given a plaintext-ciphertext pair, try all 2 
possible keys. This requires no memory but, on average, 2 55 keys will be tried before the correct one is 
found. On the other hand, for a given plaintext x, Oscar could precompute y = ejx) for all 2 56 keys K, 

K K 

and construct a table of ordered pairs (y , K), sorted by their first coordinates. At a later time, when 

Oscar obtains the ciphertext y which is an encryption of plaintext x, he looks up the value y in the table, 
immediately obtaining the key K. Now the actual determination of the key requires only constant time, 
but we have a large memory requirement and a large precomputation time. (Note that this approach 
would yield no advantage in total computation time if only one key is to be found, since constructing the 
table takes at least as much time as an exhaustive search. The advantage occurs when several keys are to 
be found over a period of time, since the same table can be used in each case.) 



The time-memory trade-off combines a smaller computation time than exhaustive search with a smaller 
memory requirement than table look-up. The algorithm can be described in terms of two parameters m 
and t, which are positive integers. The algorithm requires a reduction function R which reduces a 
bitstring of length 64 to one of length 56. (R might just discard eight of the 64 bits, for example.) Let x 

be a fixed plaintext string of length 64. Define the function for a bitstring K 
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of length 56. Note that g is a function that maps 56 bits to 56 bits. 

In the pre-processing stage, Oscar chooses m random bitstrings of length 56, denoted X (i, 0), 1 < i < m. 
Oscar computes X(i, j) for 1 <j < t according to the recurrence relation X(i, j) = g (X(i, j - 1)), 1 < i < m, 
1 <j < t, as indicated in Figure 3.6. 

Then Oscar constructs a table of ordered pairs T = (X(i, i), X(i, 0)), sorted by their first coordinate (i.e., 
only the first and last columns of X are stored). 

At a later time, Oscar obtains a ciphertext y which is an encryption of the chosen plaintext x (as before). 
He again wants to determine K. He is going to determine if K is in the first t columns of the array X, but 
he will do this by looking only at the table T. 



Figure 3.7 DES time-memory trade-off 

Suppose that K = X (i, t -j) for some j, 1 <j < t (i.e., suppose that K is in the first t columns of X). Then it 

is clear that g 1 (K) = X (i, t), where g 1 denotes the function obtained by iterating g, j times. Now, observe 
that 

g j {K) = Q j ~ l {g{K)) 

= gt-\n{e K {*)) 

Suppose we compute y , 1 <j < t, from the recurrence relation 

_ f *(y) if j = i 

V * I 9{Vi-i) if2<;<# 

Then it follows that y. = X(i, t) if K = X(i, t - j). However, note that y. = X(i, t) is not sufficient to ensure 
that K = X(i, t - j). This is because the reduction function R is not an injection: The domain of R has 

cardinality 2 64 and the range of R has cardinality 2 56 , so, on average, there are 2 8 = 256 pre-images of 
any given bitstring of length 56. So we need to check whether y = e (x), to see if X(i, t - j) is indeed 

the key. We did not store the value X(i, t - j), but we can easily re-compute it from X(i, 0) by iterating the 
g function t - j times. 
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Oscar proceeds according to the algorithm presented in Figure 3.7. 

By analyzing the probability of success for the algorithm, it can be shown that if 

then the probability that K = X(i,t - j) for some i, j is about O.Smt/N. The factor 0.8 accounts for the fact 

that the numbers X(i,t) may not all be distinct. It is suggested that one should take TTl £3 t ' JV ' 

1/3 

and construct about N tables, each using a different reduction function R. If this is done, the memory 

2/3 2/3 

requirement is 1 12 x N bits (since we need to store 2x N integers, each of which has 56 bits). The 
precomputation time is easily seen to be 0(N). 

The running time is a bit more dificult to analyze. First, note that step 3 can be implemented to run in 
(expected) constant time (using hash coding) or (worst-case) time 0(log m) using a binary search. If step 

2/3 

3 is never satisfied (i.e., the search fails), then the running time is 0(N ). A more detailed analysis 
shows that even when the running time of steps 4 and 5 is taken into account, the expected running time 
increases by only a constant factor. 
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3.6 Differential Cryptanalysis 

One very well-known attack on DES is the method of "differential cryptanalysis" introduced by Biham 
and Shamir. This is a chosen-plaintext attack. Although it does not provide a practical method of 
breaking the usual 16-round DES, it does succeed in breaking DES if the number of rounds of 
encryption is reduced. For instance, 8-round DES can be broken in only a couple of minutes on a small 
personal computer. 

We will now describe the basic ideas used in this technique. For the purposes of this attack, we can 
ignore the initial permutation IP and its inverse (it has no effect on cryptanalysis). As mentioned above, 
we consider DES restricted to n rounds, for various values of n < 16. So, in this setting, we will regard 
LR n as the plaintext, and L R as the ciphertext, in an «-round DES. (Note also that we are not inverting 

0 0 n n 

LR .) 

n n 

Differential cryptanalysis involves comparing the x-or (exclusive-or) of two plaintexts to the x-or of the 

r * r>+ 

corresponding two ciphertexts. In general, we will be looking at two plaintexts L Q R Q and '^O^O with a 

specified x-or value 0^0 W ^ w 0 0. Throughout this discussion, we will use prime 
markings (') to indicate the x-or of two bitstrings. 

DEFINITION 3.1 Let S. be a particular S-box (1 <j < 8). Consider an (ordered) pair of bitstrings of 

fP.fi*) /?'fr^/7- 

length six, say * ■ i '. We say that the input x-or ( ofS.) is J J and the output x-or ( ofS.) is 

Note that an input x-or is a bitstring of length six and an output x-or is a bitstring of length four. 

DEFINITION 3.2 For any B i € define the set ^ B lho consist of the ordered pairs B i ) 

B' 

having input x-or j. 
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It is easy to see that any set ) contains 2 6 = 64 pairs, and that 

For each pair in we can compute the output x-or of S and tabulate the resulting distribution. 

There are 64 output x-ors, which are distributed among 2 4 = 16 possible values. The non-uniformity of 
these distributions will be the basis for the attack. 

Example 3. 1 

Suppose we consider the first S-box, and the input x-or 1 10100. Then 

A(11Q100) = {(000000, 110100), (000001, 110101),. ..,(111111,00X011)}. 

For each ordered pair in the set A(l 10100), we compute output x-or of For example, ^(000000) = 
E = 11 10 and S (1 10100) = 9 = 1001, so the output x-or for the pair (000000, 1 10100) is 01 1 1. 

If this is done for all 64 pairs in A(l 10100), then the following distribution of output x-ors is obtained: 



0000 


0001 


0010 


0011 


0100 


0101 


0110 


0111 


0 




16 


6 


2 


0 


0 


12 


1000 


1001 


1010 


10J1 


1100 


1101 


mo 


111 J 


G 


0 


0 


0 I 


0 


8 


o 


6 



In Example 3.1, only eight of the 16 possible output x-ors actually occur. This particular example has a 
very non-uniform distribution. In general, if we fix an S-box S and an input x-or J, then on average, it 
turns out that about 75 - 80% of the possible output x-ors actually occur. 

It will be convenient to have some notation to describe these distributions and how they arise, so we 
make the following definitions. 

13' C 

DEFINITION 3.3 For 1 <j < 8, and for bitstrings f of length six and 3 of length four, define 
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Figure 3.8 Possible inputs with input x-or 1 10100 



i\ J> i* counts the number of pairs with input x-or equal to j which have output x-or equal to i 
for the S-box S.. The actual pairs having the specified input x-ors and giving rise to the specified output 

x-ors can be obtained from the set J 1 J* J . Observe that this set can be partitioned into 

iV ■ f F1 f \ f 1 ) IV 

1 i\ j i jtl pairs, each of which has (input) x-or equal to t. 

Observe that the distribution tabulated in Example 3.1 consists of the values 

A T ] (110100, CI), €[ £ (Z2) 4 xhe sets lNi( 110100, C[) are listed in Figure 3 8 _ 

For each of the eight S-boxes, there are 64 possible input x-ors. Thus, there are 512 distributions which 
can be computed. These could easily be tabulated by computer. 

Recall that the input to the S-boxes in round i is formed as B = E © /, where E = E(R ) is the expansion 

of R and J = K consists of the key bits for round i. Now, the input x-or (for all eight S-boxes) can be 

r 1 » 

computed as follows: 

b®b* = {eb J) e (E*®j) 

= B®E\ 

It is very important to observe that the input x-or does not depend on the key bits /. (However, the 
output x-or certainly does depend on these key bits.) 

We will write each of B, E and / as the concatenation of eight 6-bit strings: 
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D = B\BiB s B 4 B ; , B$ B 7 J? s 
S = E\ E2 £3 &4 ^7 &8 

and we write 2?* and E* in a similar way. Let us suppose for the moment that we know the values E and 

E J for some j, 1 <j < 8, and the value of the output x-or for S ^ C J - Sj ( ^j) © ( fi; ) T h en it must 
be the case that 

where B'^E^E] 

Suppose we define a set test, as follows: 

E* G 1 
DEFINITION 3.4 Suppose E and J are bitstrings of length six, and 3 is a bitstring of length four. 

Define 

where £ * = E > ® E i. 

That is, we take the x-or of E. with every element of the set 

The following result is an immediate consequence of the discussion above. 
THEOREM 3.1 

Suppose E and J are two inputs to the S-box Sy and the output x-or for S is 3. Denote 

E) = Ejfy Thm the , bUs j occm in the set test [Ej , E* Xj )_ 

j j 

N-(E'- G*) \E- E* C>\ 

Observe that there will be exactly ^ j 3 j j ' bitstrings of length six in the set test - i* 3 1 j *; the 

correct value of J must be one of these possibilities. 
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Example 3.2 

Suppose fi l = 000001, £?f = 110101 andOJ =1101 since W (110100, 1101) = 8, there will be 
exactly eight bitstrings in the set test^ (000001, 1 10101, 1 101). From Figure 3.8, we see that 

JJVi (110100, 1101) = 
{0001 10, 010000, 010110, 01 1 100, 100010, 100100, 101000, 1 10010}. 

Hence, 

test } (000001, 110101, 1101) = 
{00011^010001,010111,011101,100011,100101,101001,110011}. 

If we have a second such triple 1 > i > K/ 1, then we can obtain a second set test^ of possible values for 

the keybits in / . The true value of J must be in the intersection of both sets. If we have several such 

triples, then we can quickly determine the key bits in J . One straightforward way to do this is to 

maintain an array of 64 counters, representing the 64 possibilities for the six key bits in / . A counter is 

incremented every time the corresponding key bits occur in a set test^ for a particular triple. Given t 

triples, we hope to find a unique counter which has the value t; this will correspond to the true value of 
the keybits in / . 

3.6.1 An Attack on a 3-round DES 

Let's now see how the ideas of the previous section can be applied in a chosen plaintext attack of a 3- 
round DES. We will begin with a pair of plaintexts and corresponding ciphertexts: 
L 0 /Jo, LJ/JJ, L z Ri and L^Rl we can express R as follows: 

fl 3 = L 2 ef(R 2 ,K 3 ) 

- L 0 © /(fio,#i) © f(R 2 ,K 3 ). 

*3 can be expressed in a similar way, and hence 
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R' 3 = L'v a f(Rv, Id)® f(RZ, Ki)9 f(R2, K 3 ) CD /(J?, If,). 

Now, suppose we have chosen the plaintexts so that , i.e., so that 

flj = 00.., 0* 



s-> "i ■ -c 



Figure 3.9 Differential attack on 3 -round DES 
Then/Wj'^) = /(^O'^O and so 

At this point, 3 is known since it can be computed from the two ciphertexts, and 0 is known since it 
can be computed from the two plaintexts. This means that we can compute 

from the equation 

f{R 2 ,K 3 )®f(R' 2 ,K 3 ) = R' 3 ®L' 0 . 

Now,/(J? 2 , K } ) = P(C) and /(*3 > K *) = P (^'" ) , where C and C*, respectively, denote the two 
outputs of the eight S-boxes (recall that P is a fixed, publicly known permutation). Hence, 

and consequently 

C" = C © C* = P _l (Hi G LJ). (31) 

This is the output x-or for the eight S-boxes in round three. 

Now, /? = L 3 and 2 ^3 are also known (they are part of the ciphertexts). Hence, we can compute 

E = E(L 3 ) (3.2) 

and 
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E* = E(LJ) (S3) 

using the publicly known expansion function E. These are the inputs to the S-boxes for round three. So, 
we now know E, E*, and C for the third round, and we can proceed, as in the previous section, to 
construct the sets test., . . ., test Q of possible values for the key bits in J .... , J . 

18 18 

A pseudo-code description of this algorithm is given in Figure 3.9. The attack will use several such 
triples E, £"*, C. We set up eight arrays of counters, and thereby determine the 48 bits in K^, the key for 

the third round. The 56 bits in the key can then be computed by an exhaustive search of the 2 = 256 
possibilities for the remaining eight key bits. 

Let's look at an example to illustrate. 
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Example 3.3 

Suppose we have the following three pairs of plaintexts and ciphertexts, where the plaintexts have the 
specified x-ors, that are encrypted using the same key. We use a hexadecimal representation, for brevity: 



plaintext 


ciphertxt 


748502CD38451097 


03C70306D8A09F10 


3874756438451097 


78560A0960E6D4CB 


48691 1026ACDFF31 


45FA285BE5ADC730 


375BD31F6ACDFF31 


134F7915AC253457 


357418DA013FEC86 


D8A3 1B2F28BBC5CF 


1 25498470 13FEC86 


0F317AC2B23CB944 



From the first pair, we compute the S-box inputs (for round 3) from Equations (3.2) and (3.3). They are: 

E = 0000000001 111 110000011 101000000001 10100000001 100 
E* = 1011 11 110000001010101100000001010100000001010010. 

The S-box output x-or is calculated using Equation (3.1) to be: 

C = 10010110010111010101101101100111. 



From the second pair, we compute the S-box inputs to be 
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e = loioooooioniiiiiiiioioooooioioiooooooioiinoiio 

E* = lOOOiOlOOllOlOlOOlOIlllOlOllllllOOlOlOOOlOlOlOlO 

and the S-box output x-or is 

C = 10011100100111000001111101010110. 

From the third pair, the S-box inputs are 

E = 111011110001010100000110100011110110100101011111 
E* = 00000101 11 101001 10100010101 1111 1010101 1000000100 

and the S-box output x-or is 

C - 11010101011101011101101100101011. 

Next, we tabulate the values in the eight counter arrays for each of the three pairs. We illustrate the 
procedure with the counter array for / from the first pair. In this pair, we have & i ~~ ^ LLi -^ and 

C[ - 1001, xhe set 

f.Vi (101111, 1001) - {000000,000111.1111000,101111}. 

Since E = 000000, we have that 

Ji e (^1(000000,101111,1001)= {000000,000111,101000,101111}. 

Hence, we increment the values 0, 7, 40, and 47 in the counter array for / . 

The final tabulations are now presented. If we think of a bit-string of length six as being the binary 
representation of an integer between 0 and 63, then the 64 values correspond to the counts of 0, 1, ... , 
63. The counter arrays are as follows: 
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In each of the eight counter arrays, there is a unique counter having the value 3. The positions of these 
counters determine the key bits in J .... , J . These positions are (respectively): 47, 5, 19, 0, 24, 7, 7, 

1 8 

49. Converting these integers to binary, we obtain /,...,/: 





= 101111 


J 2 


= 000101 


J 3 


= 010011 


J 4 


= 000000 


J 5 


= 011000 


h 


= 000111 




= 000111 


J 


= 110001. 



We can now construct 48 bits of the key, by looking at the key schedule for round 3. It follows that K 
has the form 



0001101 0110001 01?01?0 1700100 
0101001 0000770 111711? 7100011 

where parity bits are omitted and "7" denotes an unknown key bit. The complete key (in hexadecimal, 
including parity bits), is: 

1A624C89520DEC46 . 

3.6.2 An Attack on a 6-round DES 

We now describe an extension of these ideas to a probabilistic attack on a 6-round DES. The idea is to 
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carefully choose a pair of plaintexts with a specified x-or, and then to determine the probabilities of a 
specified sequence of x-ors through the rounds of encryption. We need to define an important concept 
now. 

DEFINITION 3.5 Let n>l be an integer. An n-round characteristic is a list of the form 

Lq, L\, R[,Pi, . - , , L' n , R'mPn, 

which satisfies the following properties: 
1 L\ = R[_ y for \ <i<n 



2. Let \<i<n, and let L .R , and ^i - i ■ - 1 be chosen such that ^i- 1 3> ^i- ] — ^i- 1 

and ® ^i-i — R-i-i. Suppose L., R. and > are computed by applying one round 

T £fi J * = I ' R eft /?* — /?' 

o/DES encryption. Then the probability that u * ^ J J i " v t and n ^ l i ~ u i is precisely 

p , (Note that this probability is computed over all possible 48-tuples J= J ... J .) 

i 18 

The probability of the characteristic is defined to be the product p = p^x . . . x p . 



REMARK Suppose we choose L , R Q and -^0 1 ^0 so that ^0 ^ ^3 — and ^0 3 -Ro - and 
we apply n rounds of DES encryption, obtaining L j5 . . . , L and 7^, . . . ,7?^. Then we cannot claim that 

the probability that ^* * ~ and ^ j * ^ = K for all i (1 < i < n) is p x . . . x p . This is 

because the 48-tuples in the key schedule 7T , are not mutually independent. (If these n 48- 

tuples were chosen independently at random, then the assertion would be true.) But we nevertheless 
expect p l x . . . x p^ to be a fairly accurate estimate of this probability. 

We also need to recognize that the probabilities p. in a characteristic are defined with respect to an 
arbitrary (but fixed) pair of plaintexts having a specified x-or, where the 48 key bits for one round of 

48 

DES encryption vary over all 2 possibilities. However, a cryptanalyst is attempting to determine a 
fixed (but unknown) key. He is going to choose plaintexts at random (such that they have specified x- 
ors), hoping that the probabilities that the x-ors during the n rounds of encryption agree with the x-ors 
specified in the characteristic are fairly close to p^ . . . p^, respectively. 



As a simple example, we present in Figure 3.10 a 1-round characteristic which was the basis of the 
attack on the 3-round DES (as before, we use hexadecimal representations). We depict another 1-round 
characteristic in Figure 3.11. 
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Let's look at the characteristic in Figure 3.11 in more detail. When/(/? Q , K^) and f ( ^0 * ) are 
computed, the first step is to expand R and -fl. The resulting x-or of the two expansions is 

001100... 0. 

Figure 3.10 A 1 -round characteristic 
I - : : — I 

Figure 3.11 Another 1 -round characteristic 

So the input x-or to S is 001 100 and the input x-ors for the other seven S-boxes are all 000000. The 
output x-ors for S through S will all be 0000. The output x-or for S. will be 1110 with probability 

2 8 1 

14/64 (since it can be computed that N (001 100, 1 1 10) = 14). So we obtain 

C = U 100000000000000000000000000000 

with probability 14/64. Applying P, we get 

P(C) CD P{C m ) = 0000000010000000100000 1000000000, 

which in hexadecimal is 00808200 . When this is x-ored with we get the specified v \ with 
probability 14/64. Of course l always. 

The attack on the 6-round DES is based on the 3-round characteristic given in Figure 3.12. In the 6- 
round attack, we will start with ^0^0 i ^o^o* L R and , where we have chosen the plaintexts 

6 6 

so that - 4 0080000 and ftj, = 04000000^ We can express R 6 as follows: 

Re = U ®/(^s,tf 6 ) 

= ^®/(«3,^)e/(As,/c«). 
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Figure 3.12 A 3 -round characteristic 



ii can be expressed in a similar way, and hence we get 

ft " V 3 © /(«3, JK*) CD /(ft, K<) e /(ft, ft) © /(ft A' 6 ). (3.4) 
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(Note the similarity with the 3 -round attack.) 

is known. From the characteristic, we estimate that ^3 ~ (MQOQGOQie and R'^ — 40080000 is 
with probability 1/16. If this is in fact the case, then the input x-or for the S-boxes in round 4 can be 
computed by the expansion function to be: 

001000000000000001010000 . . .0. 

The input x-ors for S , S , S , 5 ? and S are all 000000, and hence the output x-ors are 0000 for these five 

S-boxes in round 4. This means that we can compute the output x-ors of these five S-boxes in round 6 
from Equation (3.4). So, suppose we compute 

C^C'sC'&C'zC'yC'z = P" 1 ^ ©04000000 lt O 

where each C. is a bitstring of length four. Then with probability 1/16, it will be the case that 

f*t f*i ft fit f*i 

i W and W are respectively the output x-ors of S 2 , S , S , 5 ? and S in round 6. The inputs 

IT* IP* TP* jp* 

to these S-boxes in round 6 can be computed to be E , E , E , E and E , and 2 » ' ^6 t ^7 and 

2 5 6 7 8 

s , where 
and 

E'^EIE^EIE^ = E(R;) = E(iJ) 

can be computed from the ciphertexts, as indicated in Figure 3.13. 

We would like to determine the 30 key bits in J , J 5 , J , and / as we did in the 3-round attack. The 
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problem is that the hypothesized output x-or for round 6 is correct only with probability 1/16. So 15/16 
of the time we will obtain random garbage rather than possible key bits. We somehow need to be able to 
determine the correct key from the given data, 15/16 of which is incorrect. This might not seem very 
promising, but fortunately our prospects are not as bleak as they initially appear. 



DEFINITION 3.6 Suppose ® - and Ro&Rn - K. We say that the pair of plaintexts 
L Q R Q and Oi Ji O is right pair with respect to a characteristic if 1 i i and 

1 w Ix i ~ i for all i, 1 <i<n. The pair is defined to be a wrong pair, otherwise. 



pui 1 1 1 ■- 



Figure 3.13 Differential attack on 6-round DES 

We expect that about 1/16 of our pairs are right pairs and the rest are wrong pairs with respect to our 3- 
round characteristic. 

Our strategy is to compute E , J , and i, as described above, and then to determine J' 
for j = 2, 5, 6, 7, 8. If we start with a right pair, then the correct key bits for each /. will be included in 

C* 

the set test.. If the pair is a wrong pair, then the value of i will be incorrect, and it seems reasonable to 
hypothesize that each set test, will be essentially random. 

We can often identify a wrong pair by this method: If \test\ = 0, for any je {2, 5, 6, 7, 8}, then we 
necessarily have a wrong pair. Now, given a wrong pair, we might expect that the probability that \test\ 

■V iE l C* \ = I test ■ I 

= 0 for a particular j is approximately 1/5. This is a reasonable assumption since ' * 1 ^ > f ~ 1 Jl 

and, as mentioned earlier, the probability that ^ i * j ' is approximately 1/5. The probability 

that all five testes have positive cardinality is estimated to be -8 ftS .33, so the probability that at 

least one test, has zero cardinality is about .67. So we expect to eliminate about 2/3 of the wrong pairs by 

this simple observation, which we call the filtering operation. The proportion of right pairs that remain 
after filtering is approximately 

± 1 

16 1 



16 ^ 16 3 
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Example 3.4 

Suppose we have the following plaintext-ciphertext pair: 



plaintext 


ciphertext 


86FA1C2B1F51D3BE 


1E23ED7F2F553971 


C6F21C2B1B51D3BE 


296DE2B687AC6340 



Observe that L *0 ~ 40080000 ie an d - 04OOOfJQ0i6 The s _ box inputs and outputs f or round 
6 are computed to be the following: 



I- 

J 


£j 






2 


111100 


01OO1U 


1101 


5 


111101 


111100 


0001 


6 


011010 


000101 


ooio 


7 


101111 


010110 


1100 


S 


111110 


101100 


1101 



Then, the sets test are as follows: 
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j 




2 


14,15,26,30,32,33,48,52 


5 




6 


7,24,36,41,54,59 


i 




s 


34,35,43,49 



We see that both test^ and test 1 are empty sets, so this pair is a wrong pair and is discarded by the 
filtering operation. 

Now suppose that we have a pair such that \test\ > 0 for j = 2, 5, 6, 7, 8, so that it survives the filtering 

operation. (Of course, we do not know if the pair is a right pair or a wrong pair.) We say that the 
bitstring J J J J J of length 30 is suggested by the pair if J. e test, for j = 2, 5, 6, 7, 8. The number of 

2 5 6 7 8 J J 

suggested bitstrings is 

n \ test j\* 

It is not unusual for the number of suggested bitstrings to be quite large (for example, greater than 
80000). 

Suppose we were to tabulate all the suggested bitstrings obtained from the N pairs that were not 
discarded by the filtering operation. For every right pair, the correct bitstring J J J J J will be a 

2 5 6 7 8 

suggested bitstring. This correct bitstring will be counted about 3M16 times. Incorrect bitstrings should 

30 

occur much less often, since they will occur essentially at random and there are 2 possibilities (a very 
large number). 

It would get extremely unwieldy to tabulate all the suggested bitstrings, so we use an algorithm that 
requires less space and time. We can encode any test, as a vector T of length 64, where the z'th 

coordinate of T is set to 1 (for 0 < i < 63) if the bitstring of length six that is the binary representation of 
i is in the set test.; and the z'th coordinate is set to 0 otherwise (this is essentially the same as the counter 
array representation that we used in the 3-round attack). 

For each remaining pair, construct these vectors as described above, and name them 1 i,j = 2, 5, 6, 7, 8, 
1 < i < N. For / c { 1, . . . , N}, we say that / is allowable if for each j'g {2, 5, 6, 7, 8}, there is at least 
one coordinate equal to l/l in the vector 
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If the zth pair is a right pair for every i e /, then the set / is allowable. Hence, we expect there to be an 
allowable set of size (approximately) 3M16, which we hope will suggest the correct key bits and no 
other. It is a simple matter to construct all the allowable sets / by means of a recursive algorithm. 

Example 3.5 

We did some computer runs to test this approach. A random sample of 120 pairs of plaintexts with the 
specified x-ors was generated, and these were encrypted using the same (random) key. We present the 
120 pairs of ciphertexts and corresponding plaintexts in hexadecimal form in Table 3.1. 

When we compute the allowable sets, we obtain n allowable sets of cardinality i, for the following 
values: 



i 


rtj 


2 


]]] 


3 


180 


4 


231 


5 


255 


6 


210 


7 


120 


8 


45 


9 


10 


10 


1 



The unique allowable set of size 10 is 

{24, 29, 30, 48, 50, 52, 55, 83, 92, 118} . 

In fact, it does arise from the 10 right pairs. This allowable set suggests the correct key bits for J^, J , / 
J 1 and / and no others. They are as follows: 
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J2 


= 011001 




= 1 10000 




= 001001 




= 101010 


h 


= 100011 



Figure 3.14 Another 3 -round characteristic 

Note that all the allowable sets of cardinality at least 6, and all but three of the allowable sets of 

flO\ _ 259 f 10 \ = «■ 

cardinality 5, arise from right pairs, since \ 5 / and \ i 1 1 for 6 < i < 10. 

This method yields 30 of the 56 key bits. By means of a different 3-round characteristic, presented in 
Figure 3.14, it is possible to compute 12 further key bits, namely those in / and / . Now only 14 key 

bits remain unknown. Since 2 14 = 16384 is quite small, an exhaustive search can be used to determine 
the remaining 14 key bits. 

The entire key (in hexadecimal, including parity-check bits) is: 

34E9F71A20756231 . 

As mentioned above, the 120 pairs are given in Table 3.1. In the second column, a * denotes that a pair 
is a right pair, while a ** denotes that the pair is an identifiable wrong pair and is discarded by the 
filtering operation. Of the 120 pairs, 73 are identified as being wrong pairs by the filtering process, so 47 
pairs remain as "possible" right pairs. 
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3.6.3 Other examples of Differential Cryptanalysis 

Differential cryptanalysis techniques can be used to attack DES with more than six rounds. An 8-round 
DES requires 2 14 chosen plaintexts, and 10-, 12-, 14- and 16-round DESs can be broken with 2 24 , 2 31 , 

39 47 

2 and 2 chosen plaintexts, respectively. The attacks on more than 10 rounds are probably not 
practical at this time. 

Several substitution-permutation product ciphers other than DES are also susceptible (to varying 
degrees) to differential cryptanalysis. These cryptosy stems include several substitution-premutation 
cryptosystems that have been proposed in recent years, such as FEAL, REDOC-II, and LOKI. 



Table 3.1Cryptanalysis of 6-round DES 



pair 


right pair? 


plaintext 


ciphertext 


1 


** 


86FA1C2B1F51D3BE 
C6F21C2B1B51D3BE 


1E23ED7F2F553971 
296DE2B687AC6340 


2 


** 


EDC4 3 9EC935E1ACD 
ADCC3 9EC97 5E1ACD 


0F847EFE90466588 
93E84839F374440B 


3 


** 


9468A0BE00166155 
D460A0BE04166155 


3D6A906A6566D0BF 
3BC3B236398379E1 


4 


** 


D4FF2B1 8A5A8AAC8 
94F72B18A1A8AAC8 


26B14738C2556BA4 
15753FDE86575A8F 


5 




09D0F2CF277AF54F 
49D8F2CF237AF54F 


15751F4F11308114 
6046A7C863F066AF 


6 


CBC7157240D415DF 
8BCF157244D415DF 


7FCDC300FB9698E5 
522185DD7E47D43A 


7 


0D4A1E84890981C1 
4D421E848D0981C1 


E7C0B01E32557558 
912C6341A69DF295 


8 


** 


6CE6B2A9B8194835 
2CEEB2A9BC194835 


75D52E028A5C48A3 
6C88603B48E5A8CE 
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Q 

y 


** 


399763C3CD322C1A 


A£nA999RPF9444RR 

6634AA9DF18307F4 


1 n 


** 


1 R 9 £ £ /I RrTQI T7 n T7 1 /] Q 
±douv^DEjOO±EjL)e "lo 

5B3E645E3C1EDF48 


1 H 1 Q 1 I79QRnRRQnQ1 T3 
±r y±EjZ.yDUDDy\Jy±iD 

D094FC12C02C17CA 


1 1 

1 1 




RSPA1 9FSDR4AnRRQ 

C5C213F50F4ADBB9 


FD1 0 RFF 7 9 Q 7nnF 0 A 

LU1 U 0£j£j / *J J 1 U U Ej KJ r\ 

3F405F4A3E254714 


1 9 


** 


396BA8EFD55BC4A1 


ppTI /IQQQTI R A 9 9R A 

C344C73CC97E4AC4 


1 ^ 

ij 




(DLr r / 3 3 rii O 3 £Li 

3BC7F7BCA055E65E 


4 / 3/i.Z 1J U 4 O ^JiUUlli o z 

8E94334AEF359EF8 


14 
if 


4C585CEDB099218C 


n9PA^99QppQrrm^ 

UjLDDZjjrLo^LLU /D 

9A316E801EE18EB1 




2C56A056C9C91A14 


RPTFRfll SQRPAQZIF^ 

67DB935C21FF1A8D 


ID 


** 


/i 1 anmo/n r 

OOZZ/l i ± i ±±/lUJJ-jZ i ±±0 

262AA441A4D32415 


9 Ri? Q £ 1 crrna coqq^ 
4313E1925F5B64BC 


17 

i / 




r" i n999f"'QQ4AFF1 PQQ 

803B3C994EFF1C99 


n4£A4r'F1 f D 9 9 1 R1 1 

D22B42DB150E2CE8 


1 8 

1 o 


QF7R9Q74FfinF1 A £F 

DE732974F40E1A6E 


1 79n9R£nQfiO£F£FF 

2217A91F8C427D27 


1 Q 


** 


PI?^Q9QQ^RI7 l n ^ 7n^ l ^T^ , 

Lr J jZo j / de L) / UL / Hi 

8F512897BBD70C7E 


e do y Z.DD y Ej / JJ UHj / HjU 

C328B765E1CC6653 


90 




Q 1 9 4 A QF A 1 

A97ECF19164A9FA1 


q n RRF 9 41 RRR.0QFA£ 
9ADDBA0C2 3DD7 2 4F 


71 

Z 1 


** 


j^u^'O^'orii / jDjd / 3 u 

1C01696E7763675D 


Q9n^nFsr i 7i r n i aqq 
DD90908A4FE8168F 


99 


** 


E81C5AB3C5B2C7DE 


r Dor L jr o U J D1 o 1 / J3 

51C041B5711B8132 


9^ 

ZZ> 




47nF£AriRR1 7P71 R Q 

4 IDE OnUDDl / O / 1 J J 

07D76A0BB5787159 


R9F9£f"'4r'A99FARA9 

vJZrliZ) O^T^ri.ZZrii.r-ivJ.riZ 

373EAFD503F68DE4 


94 


* 


7PR£szi£;zi99QRZiR£;n 
3CEE5464369B4E6D 


fi99AQn7D99ni RnQF 

85E2CE665571E99C 


9S 

Z J 


** 


4 9 1 FR£AnQR7Q1 RA7 

H. Z ± E EJ \Jr\U J 3 / J ± IJ)ri. / 

0217B6AD91791BA7 


Dl F79DRA1 P)R R £ RF 7 

U ± Hj / O U 13 ri. 1 JJD J O JUi / 

188E61735FA4F3CE 


96 

ZU 


** 


UOOrli^i-iZ>D±Z5DOr r JJD 

85869A361768FFD6 


/ .7 OHi JD J7JJ O U Ui-irli O O iy 

26D37AC4867ACC61 
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3.7 Notes and References 

A nice article on the history DES is by Smid and Branstad [SB92]. Federal Information Processing 
Standards (FIPS) publications concerning DES include the following: description of DES [NBS77]; 
implementing and using DES [NBS81]; modes of operation of DES [NBS80]; and authentication using 
DES [NBS85]. 

Some properties of the S-boxes are studied by Brickell, Moore, and Purtill [BMP87]. 

The DEC DES chip is described in [EB93]. Wiener's key search machine was described at CRYPTO '93 
[WI94]. 

The time-memory trade-off for DES is due to Hellman [HE80]. A more general time-memory trade-off 
is presented by Fiat and Naor in [FN91]. 

The technique of differential cryptanalysis was developed by Biham and Shamir [BS91] (see also 
[BS93A] and their book [BS93], where cryptanalysis of other cryptosystems is also discussed). Our 
treatment of differential cryptanalysis is based largely on [BS93]. 

Another new method of cryptanalysis that can be used to attack DES and other similar cryptosystems is 
the linear cryptanalysis of Matsui [MA94, MA94A]. 

Descriptions of other substitution-permutation cryptosystems can be found in the following sources: 
LUCIFER [FE73]; FEAL [Ml9 1]; REDOC-II [CW91]; and LOKI [BKPS90]. 

Exercises 

3.1 Prove that DES decryption can be done by applying the DES encryption algorithm to the 
ciphertext with the key schedule reversed. 

3.2 Let DES(x, K) represent the encryption of plaintext x with key K using the DES 
cryptosystem. Suppose y = DES (x, K) and y = DES (c(x), c(K)), where c(-) denotes the bitwise 
complement of its argument. Prove that y = c(y) (i.e., if we complement the plaintext and the 
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key, then the ciphertext is also complemented). Note that this can be proved using only the "high- 
level" description of DES — the actual structure of S-boxes and other components of the system 
are irrelevant. 

3.3 One way to strengthen DES is by double encryption: Given two keys, K and K^, define 

]l — £tf 2 (c K x [x)) ( of course5 this is j ust the product of DES with itself). If it happened that 

the encryption function ^^2 ' was the same as the decryption function ^^1, then and K 

are said to be dual keys. (This is very undesirable for double encryption, since the resulting 
ciphertext is identical to the plaintext.) A key is self-dual if it is its own dual key. 

(a) Prove that if C Q is either all O's or all l's and D Q is either all O's or all l's, then K is 
self-dual. 

(b) Prove that the following keys (given in hexadecimal notation) are self-dual: 

0101010101010101 
FEFEFEFEFEFEFEFE 
1F1F1F1F0E0E0E0E 
E0E0E0E0F1F1F1F1 

(c) Prove that if C Q = 0101 ... 01 or 1010 ... 10 (in binary), then the x-or of the 
bitstrings C and C,„ is 1111 ... 1 1, for 1 < z < 16 (a similar statement holds for the D 's). 

& ; 17-i v i ' 

(d) Prove that the following pairs of keys (given in hexadecimal notation) are dual: 

E001E001F101F101 01E001E001F101F1 
FE1FFE1FFE0EFE0E 1FFE 1FFE 0EFE 0EFE 
E01FE01FF10EF10E 1FE0 1FE0 0EF1 0EF1 

3.4 A message authentication code (MAC) can be produced by using CFB mode, as well as by 
using CBC mode. Given a sequence of plaintext blocks x^ . . . jc , suppose we define the 

initialization vector IV to be x . Then encrypt x 2 . . . x using key K in CFB mode, obtaining 

y 1 . . . y 1 (note that there are only n - 1 ciphertext blocks). Finally, define the MAC to be e R (y 

). Prove that this MAC is identical to the MAC produced in Section 3.4.1 using CBC mode. 

3.5 Suppose a sequence of plaintext blocks, • • • JC i IS encrypted using DES, producing 

ciphertext blocks y . . . y . Suppose that one ciphertext block, say v., is transmitted incorrectly (i. 

e., some l's are changed to O's and vice versa). Show that the number of plaintext blocks that 
will be decrypted incorrectly is equal to one if ECB or OFB modes were used for encryption; and 
equal to two if CBC or CFB modes were used. 

3.6 The purpose of this question is to investigate a simplified time-memory trade-off for a 
chosen plaintext attack. Suppose we have a cryptosystem in which P = C = K, which 

attains perfect secrecy. Then it must be the case that implies K = K . 
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Denote ^ — ^ — {pi yx }, Let x be a fixed plaintext. Define the function g : Y Y by the 

rule g(y) = e{x). Define a directed graph G having vertex set Y, in which the edge set consists of 

all the directed edges of the form (y , g(y .)), 1 < i < N. 

(a) Prove that G consists of the union of disjoint directed cycles. 

(b) Let Tbe a desired time parameter. Suppose we have a set of elements Z = {z , . . . , 

Z m ) c: Y such that, for every element y. e Y, either y. is contained in a cycle of length at 

most T, or there exists an element z ^ y such that the distance from y to z (in G) is at 

j i i j 

most T. Prove that there exists such a set Z such that 




so IZI is 0(N/T) 

(c) For each z. g Z, define g' T (z.) to be the element y . such that g T (y .) = z., where g T is the 

J J 1 1 J 

function that consists of T iterations of g. Construct a table X consisting of the ordered 

T 

pairs (z., g (z.)), sorted with respect to their first coordinates. 

A pseudo-code description of an algorithm to find K, given y = e (%), is presented in 

Figure 3.15. Prove that this algorithm finds K in at most T steps. (Hence the time-memory 
trade-off is 0(N).) 

• — i. ■., - 

i . . _ i ■_ 

Figure 3.15 Time-memory trade-off 

Figure 3.16 Differential attack on 4-round DES 

(d) Describe a pseudo-code algorithm to construct the desired set Z in time 0{NT) 
without using an array of size N. 

3.7 Compute the probabilities of the following 3-round characteristic: 
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002000ns,, 
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= 00000400 1& 


B = ? 


ft 

/j 3 


= 00000400i 6 




= 0020000S|6 





3.8 Here is a differential attack on a 4-round DES. It uses the following characteristic, which is a 
special case of the characteristic presented in Figure 3.10: 



EE 


— 20000000] <> 


Ri> - OOOOOOOOu 






= O00000OO l6 


/il = 20000000,* 


P- 1 



(a) Suppose that the following algorithm presented in Figure 3. 16 is used to compute sets 
test. . . . test. Show that J e test for 2 e /' e 8. 

2' 8 j j J 

(b) Given the following plaintext-ciphertext pairs, find the key bits / . 

2 8 



plaintext 


ciphertext 


18493AC485B8D9A0 


E332151312A18B4F 


38493AC485B8D9A0 


87391C27E5282161 


482765DDD7009123 


B5DDD8339D82D1D1 


682765DDD7009123 


81F4B92BD94B6FD8 


ABCD098733731FF1 


93A4B42F62EA59E4 


8BCD098733731FF1 


ABA494072BF411E5 


13578642AAFFEDCB 


FDEB526275FB9D94 


33578642AAFFEDCB 


CC8F72AAE685FDB 1 



(c) Compute the entire key (14 key bits remain to be determined, which can be done by 
exhaustive search). 
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Chapter 4 

The RSA System and Factoring 

4.1 Introduction to Public-key Cryptography 

In the classical model of cryptography that we have been studying up until now, Alice and Bob secretly 
choose the key K. K then gives rise to an encryption rule e and a decryption rule d . In the 

cry ptosy stems we have seen so far, <i is either the same as e , or easily derived from it (for example, 

DES decryption is identical to encryption, but the key schedule is reversed). Cryptosy stems of this type 
are known as private-key systems, since exposure of e renders the system insecure. 



One drawback of a private-key system is that it requires the prior communication of the key K between 
Alice and Bob, using a secure channel, before any ciphertext is transmitted. In practice, this may be very 
difficult to achieve. For example, suppose Alice and Bob live far away from each other and they decide 
that they want to communicate electronically, using e-mail. In a situation such as this, Alice and Bob 
may not have access to a reasonable secure channel. 



The idea behind a public-key system is that it might be possible to find a cryptosystem where it is 
computationally infeasible to determine d given e . If so, then the encryption rule e could be made 

K K ^ K 

public by publishing it in a directory (hence the term public-key system). The advantage of a public -key 
system is that Alice (or anyone else) can send an encrypted message to Bob (without the prior 
communication of a secret key) by using the public encryption rule e . Bob will be the only person that 



can decrypt the ciphertext, using his secret decryption rule d v . 

K 



Consider the following analogy: Alice places an object in a metal box, and then locks it with a 
combination lock left there by Bob. Bob is the only person who can open the box since only he knows 
the combination. 



The idea of a public -key system was due to Diffie and Hellman in 1976. The first realization of a public- 
key system came in 1977 by Rivest, Shamir, and Adleman, who invented the well-known RSA 
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Cryptosystem which we study in this chapter. Since then, several public-key systems have been 
proposed, whose security rests on different computational problems. Of these, the most important are the 
following: 

RSA 

The security of RSA is based on the difficulty of factoring large integers. This system is 

described in Section 4.3. 

Merkle-Hellman Knapsack 

This and related systems are based on the difficulty of the subset sum problem (which is NP- 
l 

complete ); however, all of the various knapsack systems have been shown to be insecure (with 
the exception of the Chor-Rivest Cryptosystem mentioned below). See Chapter 5 for a 
discussion of this cryptosystem. 



l 

The NP-complete problems are a large class of problems for which no polynomial-time 
algorithms are known. 



McEliece 

The McEliece Cryptosystem is based on algebraic coding theory and is still regarded as being 
secure. It is based on the problem of decoding a linear code (which is also NP-complete). (See 
Chapter 5.) 
ElGamal 

The ElGamal Cryptosystem is based on the difficulty of the discrete logarithm problem for 
finite fields. (See Chapter 5.) 
Chor-Rivest 

This is also referred to as a "knapsack" type system, but it is still regarded as being secure. 
Elliptic Curve 

The Elliptic Curve Cryptosystems are modifications of other systems (such as the ElGamal 
Cryptosystem, for example) that work in the domain of elliptic curves rather than finite fields. 
The Elliptic Curve Cryptosystems appear to remain secure for smaller keys than other public- 
key cryptosystems. (See Chapter 5.) 

One very important observation is that a public-key cryptosystem can never provide unconditional 
security. This is because an opponent, on observing a ciphertext y, can encrypt each possible plaintext in 
turn using the public encryption rule e until he finds the unique x such that y = e (x). This x is the 

decryption of y. Consequently, we study the computational security of public-key systems. 

It is helpful conceptually to think of a public-key system in terms of an abstraction called a trapdoor one- 
way function. We informally define this notion now. 
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Bob's public encryption function, e , should be easy to compute. We have just noted that computing the 

inverse function (i.e., decrypting) should be hard (for anyone other than Bob). This property of being 
easy to compute but hard to invert is often called the one-way property. Thus, we desire that ebe an 

(injective) one-way function. 

One-way functions play a central role in cryptography; they are important for constructing public-key 
cryptosy stems and in various other contexts. Unfortunately, although there are many functions that are 
believed to be one-way, there currently do not exist functions that can be proved to be one-way. 

Here is an example of a function which is believed to be one-way. Suppose n is the product of two large 
primes p and q, and let b be a positive integer. Then define / " ~~ * to be 

f{x) — x b mod n, 

(For a suitable choice of b and n, this is in fact the RSA encryption function; we will have much more to 
say about it later.) 

If we are to construct a public -key cryptosystem, then it is not sufficient to find a one-way function. We 
do not want e to be a one-way function from Bob's point of view, since he wants to be able to decrypt 

messages that he receives in an efficient way. Thus, it is necessary that Bob possesses a trapdoor, which 
consists of secret information that permits easy inversion of e . That is, Bob can decrypt efficiently 

because he has some extra secret knowledge about K. So, we say that a function is a trapdoor one-way 
function if it is a one-way function, but it becomes easy to invert with the knowledge of a certain 
trapdoor. 

We will see in Section 4.3 how to find a trapdoor for the function /defined above. This will lead to the 
RSA Cryptosystem. 
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4.2 More Number Theory 

Before describing how RSA works, we need to discuss some more facts concerning modular arithmetic 
and number theory. Two fundamental results that we require are the Euclidean algorithm and the 
Chinese remainder theorem. 

4.2.1 The Euclidean Algorithm 

We already observed in Chapter 1 that is a ring for any positive integer n. We also proved there that 
^ € S n h as a multiplicative inverse if and only if gcd(&, n) = 1, and that the number of positive 
integers less than n and relatively prime to n is (|)(«). 

, ia w ,„ xw^xv^w., .uuuu^ ^ .^x^.wj pxx^w .v, x., ..v.. .v.... n . It is not hard to see that 
forms an abelian group under multiplication. We already have stated that multiplication modulo n is 

associative and commutative, and that 1 is the multiplicative identity. Any element in will have a 

multiplicative inverse (which is also in ). Finally, is closed under multiplication since xy is 
relatively prime to n whenever x and y are relatively prime to n (prove this!). 

At this point, we know that any & has a multiplicative inverse, b~ l , but we do not yet have an 

efficient algorithm to compute b~ . Such an algorithm exists; it is called the extended Euclidean 
algorithm. 

First, we describe the Euclidean algorithm, in its basic form, which is used to compute the greatest 
common divisor of two positive integers, say r Q and r^, where r Q > r { - The Euclidean algorithm consists 

of performing the following sequence of divisions: 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch04/l 16-1 19.html (1 of 4)12/6/2003 9:18:13 AM 



Cryptography: Theory and Practice:The RSA System and Factoring 



0 < r 2 < n 
0 < r 3 < r 2 



T m-2 — (Im-l^fn-l +7" 



0 < r m < r 



m-1 



Then it is not hard to show that 



gcd(r 0 >ri) = gcd (r L ,r 2 ) = ... = gcd(r 



m— 



1 * r m ) — ■ 



Hence, it follows that gcd(r , r ) = r . 

0 1 m 

Since the Euclidean algorithm computes greatest common divisors, it can be used to determine if a 
positive integer b < n has a multiplicative inverse modulo n, by starting with r Q = n and r^=b. However, 

it does not compute the value of the multiplicative inverse (if it exists). 

Now, suppose we define a sequence of numbers t , . . ., t according to the following recurrence 
(where the g.'s are defined as above): 



Then we have the following useful result. 
THEOREM 4.1 

For 0 < / < m, we have that r = t r, (mod r ), where the q 's and r 's are defined as in the Euclidean 

J j 1 0 j j 

algorithm, and the t.'s are defined in the above recurrence. 

PROOF The proof is by induction on j. The assertion is trivially true for j = 0 and 7=1. Assume the 
assertion is true for j = i - 1 and i - 2, where i > 2; we will prove the assertion is true for j = i. By 
induction, we have that 



j 



to = 0 
h = 1 

tj ■ tj-2 — <7j-iij_i mod ro, if j '> 2. 



rj_ 2 = i;_ 2 ri (mod t- 0 ) 
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and 



ri_i = U-iri (mod r 0 ) T 



Now, we compute: 



r i = r i-2 — <7i-L r i-l 

= U-vti - qi-tii-iTt (mod r 0 ) 
= ih-2 ~ qi-\U-\)ri (mod r 0 ) 
= tiT\ {mod r 0 ). 

Hence, the result is true by induction. 

The next corollary is an immediate consequence. 

COROLLARY 4.2 

Suppose gcd(r Q , r ( ) = 1. Then = r~ l mod r . 

Now, the sequence of numbers t ,t,...t can be calculated in the Euclidean algorithm at the same 

1 0 1 m ° 

time as the q.'s and the r.'s. In Figure 4.1, we present the extended Euclidean algorithm to compute the 

inverse of b modulo n, if it exists. In this version of the algorithm, we do not use an array to keep track 

of the q 's, r 's and t 's, since 

j j j 

at any point in the algorithm. 



of the qjs, r.'s and r.'s, since it suffices to remember only the "last" two terms in each of these sequences 



In step 10 of the algorithm, we have written the expression for temp in such a way that the reduction 
modulo n is done with a positive argument. (We mentioned earlier that modular reductions of negative 
numbers yield negative results in many computer languages; of course, we want to end up with a 
positive result here.) We also mention that at step 12, it is always the case that tb = r (mod n) (this is the 
result proved in Theorem 4. 1). 

Here is a small example to illustrate: 

Example 4. 1 

Suppose we wish to compute 28" 1 mod 75. The Extended Euclidean algorithm proceeds as follows: 
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1 Ll Xd A | J_ -17 




73 x 2ft mod 7*1 — 1Q 


1 fi- 


28 — 1 y 1 Q 4- Q 


tter* 1 ft 

-TIL. J J L T.I 


3 x 28 mod 75 = 0 


sleo 12 


10 — 9x94-1 




67 x 28 mod 75 = 1 


step 12 


9 = 9x1 


step 16 



Hence, 28" 1 mod 75 = 67. 



1 irh 
k da I 




Figure 4,1 Extended Euclidean algorithm 
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4.2.2 The Chinese Remainder Theorem 

The Chinese remainder theorem is really a method of solving certain systems of congruences. Suppose 
ra ( , . . . , are pairwise relatively prime positive integers (that is, gcd (m., m) = 1 if i j). Suppose 

a , . . ., a are integers, and consider the following system of congruences: 



x = a\ (mod mi) 
x = (i2 (mod 1712) 



x = a r (mod m r ). 

The Chinese remainder theorem asserts that this system has a unique solution modulo M = m^x m 2 x 
x m . We will prove this result in this section, and also describe an efficient algorithm for solving 
systems of congruences of this type. 

It is convenient to study the function * ~^ ^rtij x P . , x S rrtr _ which we define as follows: 

n(x) = (x mod m u . . . mod m r ). 

Example 4.2 

Suppose r = 2, = 5 and = 3, so M = 15. Then the function 71 has the following values: 
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7T(0) 


= (0,0) 




= (l 5 1) 


tt(2) 


- (2, 2) 


tt(3) 


= (3,0) 


*(4) 


= (4,1) 




= (0,2) 


*(6) 


= (1-0) 


tt(7) 


= (2,1) 




- (3,2) 


jr(9) 


= (4,0) 


tt(10) 


= (0, 1) 


ar(ll) 


= (1.2) 


*(12) 


= (2,0) 


tt(13) 


= (3,D 


,7(14) 


= (4.2). 



Proving the Chinese remainder theorem amounts to proving that this function 71 we have defined is a 
bijection. In Example 4.2 this is easily seen to be the case. In fact, we will be able to give an explicit 

general formula for the inverse function 
For 1 < i < r, define 

Mi-—. 

Then it is not difficult to see that 

gcd{M ly m t ) = 1 

for 1 < i < r. Next, for \<i<r, define 

y i = Mi~ l mod mi. 

(This inverse exists since gcd(M., m.) = 1, and it can be found using the Euclidean algorithm.) Note that 

Miy % = 1 (mod mi) 

for i<i< r. 

Now, define a function P '■ x ' ■ - x ^m- — * follows: 

r 

p{a x ,...,0,) = ^ aiMiPi mod M. 

i=l 

We will show that the function p = 7t _1 , i.e., it provides an explicit formula for solving the original 
system of congruences. 
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Denote X = pO^, . . ., a^), and let 1 <j < r. Consider a term aMy. in the above summation, reduced 

modulo m : If i = /', then 

j 

QiMiyi = at (mod m £ ) 

since 

Miyi = 1 (mod m*). 

On the other hand, if i ^ 7, then 

diMiyi = 0 {mod m^) 

since in I A/ in this case. Thus, we have that 

j 1 

T 

X = x ^a l M l y t (mod rn/) 
= a,j (mod mj)- 

Since this is true for all j, 1 <j < r, X is a solution to the system of congruences. 

At this point, we need to show that the solution X is unique modulo M. But this can be done by simple 
counting. The function 71 is a function from a domain of cardinality M to a range of cardinality M. We 
have just proved that Jl is a surjective (i.e., onto) function. Hence, 71 must also be injective (i.e., one-to- 
one), since the domain and range have the same cardinality. It follows that n is a bijection and 71" 1 = p. 
Note also that tt" 1 is a linear function of its arguments a . 

1 r 

Here is a bigger example to illustrate. 

Example 4.3 

Suppose r = 3, m = 7, = 1 1 and =13. Then M = 1001. We compute M = 143, = 91 and M g = 
77, and then y = 5, y 2 = 4 and y 3 = 12. Then the function fl" -1 : x £ n x Z13 Sjooi is the 
following: 
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7r _1 («i 5 a 2l a3) = 7l5ai + 364a 2 4- 924a :{ mod 1001. 

For example, if x = 5 (mod 7), x = 3 (mod 1 1) and x = 10 (mod 13), then this formula tells us that 

x = 715 x 5 + 364 x 3 + 924 x 10 mod 1001 
= 13907 mod 1001 
= 894 mod 1001. 

This can be verified by reducing 894 modulo 7, 1 1 and 13. 

For future reference, we record the results of this section as a theorem. 

THEOREM 4.3 ( Chinese Remainder Theorem) 

Suppose m , . . ., m^ are pairwise relatively prime positive integers, and suppose a , . . ., are integers. 
Then, the system of r congruences x = a. (mod m.) (1 < i < r) has a unique solution modulo M = m j x . . . 
x m , which is given by 

r 

x = a,iM z yj mod M, 

i ] 

where M = Mlm and y = M~ l mod m , for 1 < i < r. 

i i i i i 
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4.2.3 Other Useful Facts 

We next mention another result from elementary group theory, called Lagrange's Theorem, that will be 
relevant in our treatment of the RSA Cryptosystem. For a (finite) multiplicative group G, define the 

order of an element ge G to be the smallest positive integer m such that g m = 1 . The following result is 
fairly simple, but we will not prove it here. 

THEOREM 4.4 (Lagrange) 

Suppose G is a multiplicative group of order n, and ge G. Then the order of g divides n. 
For our purposes, the following corollaries are essential. 
COROLLARY 4.5 

If b € I* n \ then b m = 1 (mod n). 

PROOF is a multiplicative group of order §(n). 
COROLLARY 4.6 (Fermat) 

Suppose p is prime and ^ ^ ^P. Then bP = b (mod p). 

PROOF If p is prime, then <\>(p) =p - 1. So, for ^ ^ Q (mod p), the result follows from Corollary 4.5. 

p 

For b = 0 (mod p), the result is also true since 0=0 (mod p). 

At this point, we know that if p is prime, then is a group of order p - 1, and any element in has 

order dividing p - 1. However, if is prime, then the group is in fact cyclic: there exists an element 

a € ^ p having order equal to /? - 1 . We will not prove this very important fact, but we do record it for 
future reference: 
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THEOREM 4.7 

Ifp is prime, then ^P is a cyclic group. 

An element oc having order p - 1 is called a primitive element modulo p. Observe that oc is a primitive 
element if and only if 

{a* :0< i <p-2} -Z p \ 

Now, suppose p is prime and oc is a primitive element modulo p. Any element $ ^ ^p can be written as 
(3 = oc , where 0 < i < p - 2, in a unique way. It is not difficult to prove that the order of |3 = a is 

Thus |3 is itself a primitive element if and only if gcd(p - 1, i) = 1. It follows that the number of primitive 
elements modulo p is §(p - 1). 

Example 4.4 

Suppose p = 13. By computing successive powers of 2, we can verify that 2 is a primitive element 
modulo 13: 
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2° mod 13 = 1 
2 1 mod 13 = 2 
2* mod 13 = 4 
t mod 13 = 8 
2* mod 13 = 3 

2 5 mod 13 = 6 

2 6 mod 13 = 12 

2 7 mod 13 = 11 
2* mod 13 = 9 
2* mod 13 = 5 

2 10 mod 13 = 10 
2" mod 13 - 7. 

i 

The element 2 is primitive if and only if gcd(z, 12) = 1; i.e., if and only if i = 1, 5, 7 or 11. Hence, the 
primitive elements modulo 1 3 are 2, 6, 7 and 1 1 . 



1 - I - h i - ^ l-rhiF"JJ 
'jpiL r-u inln in r-r h- i rur 

Figure 4.2 RSA Cryptosystem 

4.3 The RSA Cryptosystem 

We can now describe the RSA Cryptosystem. This cryptosystem uses computations in ^n, where n is 
the product of two distinct odd primes p and q. For such n, note that <])(«) = (p - I) (q- 1). 

The formal description of the cryptosystem is given in Figure 4.2. Let's verify that encryption and 
decryption are inverse operations. Since 

ab = 1 (mod 

we have that 

ab = t<j>(n) + 1 
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for some integer t > 1 . Suppose that % £ ; then we have 



_ ^(nj + l (mod n j 

= (z* {n) Yx (mod n) 
= l'x (mod n) 
= x (mod n), 

as desired. We leave it as an exercise for the reader to show that (x ) = x (mod n)if x ^ ^n\^n 
Here is a small (insecure) example of the RSA Cryptosystem. 

Example 4.5 

Suppose Bob chooses p = 101 and q = 113. Then n = 11413 and <|>(n) = 100 x 112 = 11200. Since 11200 
= 2 5 7, an integer b can be used as an encryption exponent if and only if b is not divisible by 2, 5 or 7. 
(In practice, however, Bob will not factor <j)(«). He will verify that gcd(<])(«), = 1 using the Euclidean 
algorithm.) Suppose Bob chooses b = 3533. Then the Extended Euclidean algorithm will yield 

6" 1 =6597 mod 11200. 

Hence, Bob's secret decryption exponent is a = 6597. 

Bob publishes n = 1 1413 and b = 3533 in a directory. Now, suppose Alice wants to send the plaintext 
9726 to Bob. She will compute 

9726 3633 mod 11413 = 5761 

and send the ciphertext 5761 over the channel. When Bob receives the ciphertext 5761, he uses his 
secret decryption exponent to compute 

5761 6597 mod 11413 = 9726. 

(At this point, the encryption and decryption operations might appear to be very complicated, but we 
will discuss efficient algorithms for these operations in the next section.) 
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b 

The security of RSA is based on the hope that the encryption function e ir (x)=x mod n is one-way, so it 

K 

will be computationally infeasible for an opponent to decrypt a ciphertext. The trapdoor that allows Bob 
to decrypt is the knowledge of the factorization n = pq. Since Bob knows this factorization, he can 
compute §(ri) = {p - l)(q - 1) and then compute the decryption exponent a using the Extended Euclidean 
algorithm. We will say more about the security of RSA later on. 



Previous 


Table of Contents 


Next 









Copyright © CRC Press LLC 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch04/122-125.html (5 of 5)12/6/2003 9: 18: 16 AM 



Cryptography: Theory and Practice:The RSA System and Factoring 



Cryptography: Theory and Practice 

by Douglas Stinson 
CRC Press, CRC Press LLC 
ISBN: 0849385210 Pub 
Date: 03/17/95 



Previous 


Table of Contents 


Next 









4.4 Implementing RSA 

There are many aspects of the RSA Cryptosystem to discuss, including the details of setting up the 
cryptosystem, the efficiency of encrypting and decrypting, and security issues. In order to set up the 
system, Bob follows the steps indicated in Figure 4.3. How Bob carries out these steps will be discussed 
later in this chapter. 

One obvious attack on the cryptosystem is for a cryptanalyst to attempt to factor n. If this can be done, it 
is a simple manner to compute <])(«) = (p - l)(q - 1) and then compute the decryption exponent a from b 

2 

exactly as Bob did. (It has been conjectured that breaking RSA is polynomially equivalent to factoring 
n, but this remains unproved.) 



2 

Two problems are said to be polynomially equivalent if the existence of a polynomial-time 
algorithm for either problem implies the existence of a polynomial-time algorithm for the other 
problem. 



■ »— I ■ --IT I— 'l 

ft i* i r i ■ ■ ■ ■ 



Figure 4.3 Setting up RSA 

Hence, if the RSA Cryptosystem is to be secure, it is certainly necessary that n=pq must be large 
enough that factoring it will be computationally infeasible. Current factoring algorithms are able to 
factor numbers having up to 130 decimal digits (for more information on factoring, see Section 4.8). 
Hence, it is recommended that, to be on the safe side, one should choose p and q to each be primes 
having about 100 digits; then n will have 200 digits. Several hardware implementations of RSA use a 
modulus which is 512 bits in length. However, a 512-bit modulus corresponds to about 154 decimal 
digits (since the number of bits in the binary representation of an integer is log 2 10 times the number of 

decimal digits), and hence it does not offer good long-term security. 
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Leaving aside for the moment the question of how to find 100 digit primes, let us look now at the 
arithmetic operations of encryption and decryption. An encryption (or decryption) involves performing 
one exponentiation modulo n. Since n is very large, we must use multiprecision arithmetic to perform 

computations in ^n, and the time required will depend on the number of bits in the binary 
representation of n. 

Suppose n has ^ bits in its binary representation; i.e., k = [log 2 n] + 1. Using standard "grade-school" 

arithmetic techniques, it is not difficult to see that an addition of two k-bit integers can be done in time O 

(k), and a multiplication can be done in time 0(k ). Also, a reduction modulo n of an integer having at 

most 2k bits can be performed in time 0(k ) (this amounts to doing long division and retaining the 

remainder). Now, suppose that x tV ^ (where we are assuming that 0 < x, y < n - 1). Then xy mod 
n can be computed by first calculating the product xy (which is a 2fc-bit integer), and then reducing it 

modulo n. These two steps can be peformed in time 0(k ). We call this computation modular 
multiplication. 



Figure 4.4 The square-and-multiply algorithm to compute x mod n 

We now consider modular exponentiation, i.e., computation of a function of the form x c mod n. As noted 
above, both the encryption and the decryption operations in RSA are modular exponentiations. 

Computation of x c mod n can be done using c - 1 modular multiplications; however, this is very 
inefficient if c is large. Note that c might be as big as §(ri) - 1, which is exponentially large compared to 
k. 

The well-known "square-and-multiply" approach reduces the number of modular multiplications 

required to compute x mod n to at most , where t is the number of bits in the binary representation 

of c. Since ^ S ^, it follows that x c mod n can be computed in time 0(k 3 ). Hence, RSA, encryption 
and decryption can both be done in polynomial time (as a function of k, which is the number of bits in 
one plaintext (or ciphertext) character). 

Square-and-multiply assumes that the exponent, b say, is represented in binary notation, say 

t: :0 

where — D or 1 , 0 ^ t £ — I, The algorithm to compute z = x b mod n is presented in Figure 
4.4. It is easy to count the number of modular multiplications performed by the square-and-multiply 
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algorithm. There are always t squarings performed (step 3). The number of modular multiplications in 
step 4 is equal to the number of l's in the binary representation of b, which is an integer between 0 and 
£. Thus, the total number of modular multiplications is at least t and at most 

We will illustrate the use of square-and-multiply by returning to Example 4.5. 
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Example 4.5 (Cont.) 

Recall that n- 1 1413, and the public encryption exponent is b = 3533. Alice encrypts the plaintext 9726 

3533 

by computing 9726 mod 1 1413, using the square-and multiply algorithm, as follows: 



• 

1 


b. 
i 


z 




11 


1 


l 2 x 9726 = 9726 


10 


1 


9726 2 x 9726 = 2659 


9 


0 


2659 2 = 5634 


8 


1 


5634 2 x 9726 = 9167 


7 


1 


9167 2 x 9726 = 4958 


6 


1 


4958 2 x 9726 = 7783 


5 


0 


7783 2 = 6298 


4 


0 


6298 2 = 4629 


3 


1 


4629 2 x 9726 = 10185 


2 


1 


10185 2 x 9726 = 105 


1 


0 


105 2 = 11025 


o 


1 


11025 2 x 9726 = 5761 



Hence, as stated earlier, the ciphertext is 5761. 

It should be emphasized that the most efficient current hardware implementations of RSA achieve 
encryption rates of about 600 Kbits per second (using a 512 bit modulus n), as compared to 1 Gbit per 
second for DES. Stated another way, RSA, is roughly 1500 times slower than DES. 
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At this point we have discussed the encryption and decryption operations for RSA. In terms of setting up 
RSA, the generation of the primes p and q (Step 1) will be discussed in the next section. Step 2 is 

straightforward and can be done in time 0((log n) ). Steps 3 and 4 involve the Euclidean algorithm, so 
let's briefly consider its complexity. 

Suppose we compute the greatest common divisor of r Q and where r Q > r x - In each iteration of the 

algorithm, we compute a quotient and remainder, which can be done in time 0((log rj ). If we can 

obtain an upper bound on the number of iterations, then we will have a bound on the complexity of the 
algorithm. There is a well-known result, known as Lame's Theorem, that provides such a bound. It 
asserts that if s is the number of iterations, then/ +2 < r , where / denotes the zth Fibonacci number. Since 

it follows that s is 0(log r ). 

This shows that the running time of the Euclidean algorithm is 0((log n) ). (Actually, a more careful 

2 

analysis can be used to show that the running time is, in fact, 0((log n) ).) 

4.5 Probabilistic Primality Testing 

In setting up the RSA Cryptosystem, it is necessary to generate large (e.g., 80 digit) "random primes." 
In practice, the way this is done is to generate large random numbers, and then test them for primality 
using a probabilistic polynomialtime Monte Carlo algorithm such as the Solovay-Strassen or Miller- 
Rabin algorithm, both of which we will present in this section. These algorithms are fast (i.e., an integer 
n can be tested in time that is polynomial in log 2 n, the number of bits in the binary representation of n), 

but there is a possibility that the algorithm may claim that n is prime when it is not. However, by 
running the algorithm enough times, the error probability can be reduced below any desired threshold. 
(We will discuss this in more detail a bit later.) 

The other pertinent question is how many random integers (of a specified size) will need to be tested 
until we find one that is prime. A famous result in number theory, called the Prime number theorem, 
states that the number of primes not exceeding N is approximately N/\n N. Hence, if p is chosen at 
random, the probability that it is prime is about 1/ln p. For a 512 bit modulus, we have 

1/ In p Si 1/ 177. xhat is, on average, of 177 random integers p of the appropriate size, one will be 
prime (of course, if we restrict our attention to odd integers, the probability doubles, to about 2/177). So 
it is indeed practical to generate sufficiently large random numbers that are "probably prime," and hence 
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it is practical to set up the RSA Cryptosystem. We proceed to describe how this is done. 

A decision problem is a problem in which a question is to be answered "yes" or "no." A probabilistic 
algorithm is any algorithm that uses random numbers (in contrast, an algorithm that does not use random 
numbers is called a deterministic algorithm). The following definitions pertain to probabilistic 
algorithms for decision problems. 
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DEFINITION 4.1 A yes-biased Monte Carlo algorithm is a probabilistic algorithm for a decision 
problem in which a "yes" answer is (always) correct, but a "no" answer may be incorrect. A no-biased 
Monte Carlo algorithm is defined in the obvious way. We say that a yes-biased Monte Carlo algorithm 
has error probability equal to g if for any instance in which the answer is "yes, " the algorithm will 
give the (incorrect) answer "no" with probability at most e . (This probability is computed over all 
possible random choices made by the algorithm when it is run with a given input.) 

The decision problem called Composites is described in Figure 4.5. 

Note that an algorithm for a decision problem only has to answer "yes" or "no." In particular, in the case 
of the problem Composites, we do not require the algorithm to find a factorization in the case that n is 
composite. 

We will first describe the Solovay-Strassen algorithm, which is a yes-biased Monte Carlo algorithm for 
Composites with error probability 1/2. Hence, if the algorithm answers "yes," then n is composite; 
conversely, if n is composite, then the algorithm answers "yes" with probability at least 1/2. 

i— - i 

Figure 4.5 Composites 

IHT— — I 

Figure 4.6 Quadratic Residues 

Although the Miller-Rabin algorithm (which we will discuss later) is faster than Solovay-Strassen, we 
begin by looking at the Solovay-Strassen algorithm because it is easier to understand conceptually and 
because it involves some number-theoretic concepts that will be useful in later chapters of the book. We 
begin by developing some further background from number theory before describing the algorithm. 

DEFINITION 4.2 Suppose p is an odd prime and x is an integer, \<x<p - l.xis defined to be a 
quadratic residue modulo p if the congruence y 2 • x (mod p) has a solution V € ^p. x is defined to be a 
quadratic non-residue modulo p if% ^ ^ (mod p) and x is not a quadratic residue modulo p. 
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Example 4.6 

The quadratic residues modulo 1 1 are 1, 3, 4, 5 and 9. Note that (±1) 2 = 1, (±5) 2 = 3, (±2) 2 = 4, (±4) 2 = 5 
and (±3) = 9 (where all arithmetic is in ^ 1 1). 

The decision problem Quadratic Residues is defined in Figure 4.6 in the obvious way. 

We prove a result, known as Euler's criterion, that will give rise to a polynomialtime deterministic 
algorithm for Quadratic Residues. 

THEOREM 4.8 (Euler's Criterion) 

Let p be an odd prime. Then x is a quadratic residue modulo p if and only if 

x { P -nn = ! ( mf>( i p }, 

PROOF First, suppose x = y 2 (mod p). Recall from Corollary 4.6 that if p is prime, then V" 1 = 1 (mod p) 
for any % W 0 (mod p). Thus we have 

= (^)fp-i^ (mod p) 

= y p ~ l (mod p) 
= 1 (mod p). 

Conversely, suppose x (p " 1)/2 = 1 (mod p). Let be a primitive element modulo p. Then x = b l (mod for 
some i. Then we have 

sfc-U/a = ( 6 *)(»-D/a ( mod p ) 
= fc^P" 1 )/ 2 (mod p). 

Since has order p - 1, it must be the case that p - 1 divides z"(p - l)/2. Hence, i is even, and then the 
square roots of x are ±// 2 . 

Theorem 4.8 yields a polynomial-time algorithm for Quadratic Residues, by using the "square-and- 
multiply" technique for exponentiation modulo p. The complexity of the algorithm will be 0((log p) ). 
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We now need to give some further definitions from number theory. 



DEFINITION 4.3 Suppose p is an odd prime. For any integer a>0,we define the Legendre symbol 

{-) 




as follows: 

0 if a = 0 (mod p) 

1 if a is a quadratic residue modulo p 
— 1 if a is a quadratic non- residue modulo p. 

(P IV? 

We have already seen that a = 1 (mod p) if and only if a is a quadratic residue modulo p. If a is a 

(P 1V2 

multiple of p, then it is clear that a =0 (mod p). Finally, if a is a quadratic non-residue modulo p, 

then a^ P ' l)l2 = -1 (mod p) since a p ' x = 1 (mod p). Hence, we have the following result, which provides an 
efficient algorithm to evaluate Legendre symbols: 

THEOREM 4.9 

Suppose p is an odd prime. Then 



{mod p) 



Next, we define a generalization of the Legendre symbol. 



DEFINITION 4.4 Suppose n is an odd positive integer, and the prime power factorization ofn is 
Pi • • Pk . Let a > 0 be an integer. The Jacobi symbol ^ n J ' is defined to be 



* / \ *i 

(i) - H fe) ■ 
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Example 4. 7 



V a 975 J. nrl -- -- : c -~' ••■ cn ^ c : - 



Consider the Jacobi symbol ^ y^75 /. The prime power factorization of 9975 is 9975 = 3 x 5 Z x 7 x 19. 
Thus we have 



^6278^ _ ^6278^ ^6278^ 2 ^6278^ ^0278^ 

- (i) (i)' (?) ») 



= C-i)(_i)*(-i)(-l) 
= -I. 

fa} = a [n-l)/'i 

Suppose « > 1 is odd. If n is prime then \nr (mod «) for any a. On the other hand, if n is 

{ &\ = a Kn-\)n 

composite, it may or may not be the case that V « ■/ (mod n). If this equation holds, then n is 

called an Euler pseudo-prime to the base a. For example, 91 is an Euler pseudo-prime to the base 10, 
since 



(i)-- 



mod 91 



However, it can be shown that, for any odd composite n, n is an Euler pseudo-prime to the base a for at 
most half of the integers a such that 1 < a < n - 1 (see the exercises). This fact shows that the Solovay- 
Strassen primality test, which we present in Figure 4.7, is a yes-biased Monte Carlo algorithm with error 
probability at most 1/2. At this point it is not clear that the algorithm is a polynomial-time algorithm. We 

( n 1V2 3 

already know how to evaluate a mod n in time 0((log n) ), but how do we compute Jacobi symbols 

efficiently? It might appear to be necessary to first factor n, since the Jacobi symbol V n / is defined in 
terms of the factorization of n. But, if we could factor n, we would already know if it is prime, so this 
approach ends up in a vicious circle. 
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Fortunately, we can evaluate a Jacobi symbol without factoring n by using some results from number 
theory, the most important of which is a generalization of the law of quadratic reciprocity (property 4 
below). We now enumerate these properties without proof: 



Figure 4.7 The Solovay-Strassen primality test for an odd integer n 

1. If n is an odd integer and m = m (mod n), then 

2. If n is an odd integer, then 



/2\ f 1 if n = ±1 (mod 
\n) ~ \ -I if n = ±3 (mod 



8) 
3). 



3. If n is an odd integer then 



In particular, if m = 2 k t, where t is odd, then 



( n ) (n) (n) 



4. Suppose m and « are odd integers. Then 

= n = 3 (mod 4) 



(™\ = / -(5) ifm -^ 

V n / \ (^) otherwise. 



Example 4.8 

/ 7411 \ 

As an illustration of the application of these properties, we evaluate the Jacobi symbol \ as follows: 
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by property 4 
by property I 
by property 3 
by property 2 
by property 4 
by properly I 
by property 3 
by properly 2 
by property 4 
by property I 
by property 2 



Notice that we successively apply properties 4, 1,3, and 2 in this computation. 

(m) 

In general, by applying these four properties, it is possible to compute a Jacobi symbol \ ti / in 
polynomial time. The only arithmetic operations that are required are modular reductions and factoring 
out powers of two. Note that if an integer is represented in binary notation, then factoring out powers of 
two amounts to determining the number of trailing zeroes. So, the complexity of the algorithm is 
determined by the number of modular reductions that must be done. It is not difficult to show that at 

most 0(log n) modular reductions are performed, each of which can be done in time 0((log n) ). This 

shows that the complexity is 0((log n) ), which is polynomial in log n. (In fact, the complexity can be 

shown to be 0((log n) ) by more precise analysis.) 

Suppose that we have generated a random number n and tested it for primality using the Solovay- 
Strassen algorithm. If we have run the algorithm m times, what is our confidence that n is prime? It is 

tempting to conclude that the probability that such an integer n is prime is 1 - 2" m . This conclusion is 
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often stated in both textbooks and technical articles, but it cannot be inferred from the given data. 



We need to be careful about our use of probabilities. We will define the following random variables: a 
denotes the event 



It is certainly the case that prob(b\a) < 2' . However, the probability that we are really interested is prob 
(alb), which is usually not the same as prob(b\a). 

We can compute prob(a\b) using Bayes' theorem (Theorem 2.1). In order to do this, we need to know 
prob(a). Suppose N <n< 2N. Applying the Prime number theorem, the number of (odd) primes between 
N and 2N is approximately 



a random odd integer n of a specified size is composite, 



and b denotes the event 



the algorithm answers is prime' m times in succession. 



2N N 



N 



\n2N IniV 



In N 



n 

Inn' 



Since there are N/2 =5 n/2 0 ^ integers between N and 2N, we will use the estimate 



prob(a) n 1 - 



2 



Inn 



Then we can compute as follows: 
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prot(b|a)proii(a) 
~ i^Afbj 

pr ob(h | a)pr ofr ( a) 
pr£nfe(b|a)pru6(a) + pro6(b|a)pr£>&(a) 

pro6(b|a) (1 - ^) 

prc6(b|a)()nn — 2) 
= proi>(b|a)(lnn - 2} + 2 

2- T "(lnn-2) 
_ 2" m (lnn. - 2) + 2 

Inn -2 
~ Inn - 2 + 2 m + l " 

Note that in this computation, 3. denotes the event 
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Figure 4.8 Error probabilities for the Solovay-Strassen test 

"a random odd integer n is prime." 

It is interesting to compare the two quantities (In n - 2)/(ln n - 2 + 2 m+1 ) and 2~ m as a function of m. 
Suppose that fl z$ 2 256 e 177 , since these are the sizes of primes that we seek for use in RSA. Then 

the first function is roughly 175/(175 + 2 ). We tabulate the two functions for some values of m in 
Figure 4.8. 

Although 175/(175+2 ) approaches zero exponentially quickly, it does not do so as quickly as 2 .In 
practice, however, one would take m to be something like 50 or 100, which will reduce the probability of 
error to a very small quantity. 

We conclude this section with another Monte Carlo algorithm for Composites which is known as the 
Miller-Rabin algorithm (it is also known as the "strong pseudo-prime test"). This algorithm is presented 
in Figure 4.9. It is clearly a polynomial-time algorithm: an elementary analysis shows that its complexity 

is 0((log n) ), as in the case of the Solovay-Strassen test. In fact, the Miller-Rabin algorithm performs 
better in practice than the Solovay-Strassen algorithm. 
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We show now that this algorithm cannot answer "n is composite" if n is prime, i.e., the algorithm is yes- 
biased. 
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THEOREM 4.10 

The Miller-Rabin algorithm for Composites is a yes-biased Monte Carlo algorithm. 

PROOF We will prove this by assuming the algorithm answers "n is composite" for some prime intej 
n, and obtain a contradiction. Since the algorithm answers "n is composite," it must be the case that 

a" 1 ^ 1 ( mo d n). Now consider the sequence of values b tested in the algorithm. Since b is squared 

each iteration of the for loop, we are testing the values a s * >■■■!* . Since the algorithm 
answers "n is composite," we conclude that 

for 0 </<*:- 1. 



Figure 4.9 The Miller-Rabin primality test for an odd integer n 

Now, using the assumption that n is prime, Fermat's theorem (Corollary 4.6) tells us that 

a 2km = 1 (mod n) 

k 2*~ 1 m 

since n - 1 = 2 m. Then O is a square root of 1 modulo «. Since « is prime, there are only two 

square roots of 1 modulo n, namely, ±1 mod n. This can be seen as follows: x is a square root of 1 
modulo n if and only if 

n\(x - l){x + 1). 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch04/136-140.html (1 of 4)12/6/2003 9:18:23 AM 



Cryptography: Theory and Practice:The RSA System and Factoring 

Since n is prime, either n I (x - 1) (i.e., x = 1 (mod «)) or n I (x + 1) (i.e., x ± 1 (mod «)). 



We have that 



so it follows that 



a 2 * ' m = 1 (mod n) 



,2*- ! m 



Then CI must be a square root of 1 . By the same argument, 

a 2 " *™ = 1 (mod n). 

Repeating this argument, we eventually obtain 

a m = 1 (mod n), 

which is a contradiction, since the algorithm would have answered "n is prime" in this case. 

It remains to consider the error probability of the Miller-Rabin algorithm. Although we will not prove it 
here, the error probability can be shown to be, at most, 1/4. 

4.6 Attacks On RSA 

In this section, we address the question: are there possible attacks on RSA other than factoring nl Let us 
first observe that it is sufficient for the cryptanalyst to compute §(ri). For, if n and §(ri) are known, and n 
is the product of two primes p, q, then n can be easily factored, by solving the two equations 

n = pq 
*(n) = (p-l)(fl-l) 

for the two "unknowns" p and q. If we substitute q = n/p into the second equation, we obtain a quadratic 
equation in the unknown value p: 

p 2 — (n — ^(n) + l)p + n — 0, 
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The two roots of this equation will be p and q, the factors of n. Hence, if a cryptanalyst can learn the 
value of §(ri), then he can factor n and break the system. In other words, computing <j)(«) is no easier than 
factoring n. 

Here is an example to illustrate. 
Example 4.9 

Suppose the cryptanalyst has learned that n = 84773093 and §(n) = 84754668. This information gives 
rise to the following quadratic equation: 

p*- 18426p+ 84773093= 0. 

This can be solved by the quadratic formula, yielding the two roots 9539 and 8887. These are the two 
factors of n. 

4.6.1 The Decryption Exponent 

We will now prove the very interesting result that any algorithm which computes the decryption 
exponent a can be used as a subroutine (or oracle) in a probabilistic algorithm that factors n. So we can 
say that computing a is no easier than factoring n. However, this does not rule out the possibility of 
breaking the cryptosystem without computing a. 

Notice that this result is of much more than theoretical interest. It tells us that if a is revealed, then the 
value n is also compromised. If this happens, it is not sufficient for Bob to choose a new encryption 
exponent; he must also choose a new modulus n. 

The algorithm we are going to describe is a probabilistic algorithm of the Las Vegas type. Here is the 
definition: 

DEFINITION 4.5 Suppose 0 < e <\ is a real number. A Las Vegas algorithm is a probabilistic 
algorithm such that, for any problem instance I, the algorithm may fail to give an answer with some 
probability e (i.e., it can terminate with the message "no answer"). However, if the algorithm does 
return an answer, then the answer must be correct. 

REMARK Las Vegas algorithm may not give an answer, but any answer it gives is correct. In contrast, a 
Monte Carlo algorithm always gives an answer, but the answer may be incorrect. 

If we have a Las Vegas algorithm to solve a problem, then we simply run the algorithm over and over 
again until it finds an answer. The probability that the algorithm will return "no answer" m times in 
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succession is g . The average (i.e., expected) number of times the algorithm must be run in order to 
obtain an answer is in fact 1/(1 - g ) (see the exercises). 

Suppose that A is a hypothetical algorithm that computes the decryption exponent a from b and n. We 
will describe a Las Vegas algorithm that uses A as an oracle. This algorithm will factor n with 
probability at least 1/2. Hence, if the algorithm is run m times, then n will be factored with probability at 

m 

least 1-1/2 . 

The algorithm is based on certain facts concerning square roots of 1 modulo n, where n = pq is the 

product of two distinct odd primes. Recall that the congruence x = 1 (mod p) has two solutions modulo 

p, namely x = ±1 mod p. Similarly, the congruence x = 1 (mod q) has two solutions, namely x = ±1 mod 
q. 

2 2 2 2 

Now, since x = 1 (mod n) if and only if x = 1 (mod p) and x = 1 (mod q), it follows that x • 1 (mod n) 

if and only if x = 1 mod p and x = ±1 mod g. Hence, there are four square roots of 1 modulo n, and they 
can be found using the Chinese remainder theorem. Two of these solutions are x = ±1 mod n; these are 
called the trivial square roots of 1 modulo p. The other two square roots are called non-trivial, and they 
are negatives of each other modulo n. 

Here is a small example to illustrate. 
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Example 4.10 



Suppose n = 403 = 13 x 31. The four square roots of 1 modulo 403 are 1, 92, 311 and 402. The square 
root 92 is obtained by solving the system x = 1 (mod 13), x = -1 (mod 31) using the Chinese remainder 
theorem. Having found this non-trivial square root, the other non-trivial square root must be 403 - 92 = 
31 1. It is the solution to the system x = -1 (mod 13), x = 1 (mod 31). 



Suppose x is a non-trivial square root of 1 modulo n. Then we have 



n 



(x - -h 1) 



but n divides neither factor on the right side. It follows that gcd(x + 1, n) = p or q (and similarly, gcd(x 
1, n) =p or q). Of course, a greatest common divisor can be computed using the Euclidean algorithm, 
without knowing the factorization of n. Hence, knowledge of a non-trivial square root of 1 modulo n 
yields the factorization of n with only a polynomial amount of computation. This important fact is the 
basis of many results in cryptography. 



In Example 4.10 above, gcd(93,403) = 31 and gcd(3 12,403) = 13. 



In Figure 4.10, we present an algorithm which, using the hypothetical algorithm A as a subroutine, 
attempts to factor n by finding a non-trivial square root of 1 modulo n. (Recall that A computes the 
decryption exponent a corresponding to the encryption exponent b.) We first do an example to illustrate 
the application of this algorithm. 



Example 4.11 



Suppose n = 89855713, b = 34986517 and a = 82330933, and the random value w = 5. We have 



ah - 1 = 2 3 x 36005907337879^ 



In step 6, v = 85877701, and in step 10, v = 1. In step 12, we compute 
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gcd (85877702, n) = 9103, 

This is one factor of n; the other is «/9103 = 9871. 

Let's now proceed to the analysis of the algorithm. First, observe that if we are lucky enough to choose 
w to be a multiple of p or q, then we can factor n 



■ — I — - - 

■ HI II|U ■ ■ 



Figure 4.10 Factoring algorithm, given the decryption exponent a 

immediately. This is detected in step 2. If w is relatively prime to n, then we compute w , w ,w 
by successive squaring, until 

w 2 ' r = 1 (mod n) 

for some t. Since 

ab - 1 = 2*r = 0 (mod 4>(n))> 

we know that W — 1 (mod n). Hence, the while loop terminates after at most s iterations. At the 
end of the while loop, we have found a value v Q such that v & — 1 (mod n) but ^0 W 1 (mod n). If v () = - 1 
(mod n), then the algorithm fails; otherwise, v Q is a non-trivial square root of 1 modulo n and we are able 
to factor n (step 12). 

The main task facing us now is to prove that the algorithm succeeds with probability at least 1/2. There 
are two ways in which the algorithm can fail to factor n: 

1. w r = 1 (mod n) (step 7) 

2. hi 3 * 1 * = -1 (mod n) for some t, 0 < t < s - 1 (step 1 1) 

We have s + 1 congruences to consider. If a random value w is a solution to at least one of these s + 1 
congruences, then it is a "bad" choice, and the algorithm fails. So we proceed by counting the number of 
solutions to each of these congruences. 
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First, consider the congruence w r = 1 (mod n). The way to analyze a congruence such as this is to 
consider solutions modulo p and modulo q separately, and then combine them using the Chinese 
remainder theorem. Observe that x = 1 (mod n) if and only if x = 1 (mod p) and x = 1 (mod q). 

So, we first consider w r = 1 (mod p). Since p is prime, is a cyclic group by Theorem 4.7. Let g be a 
primitive element modulo p. We can write w = g u for a unique integer u, 0 < w < p - 2. Then we have 

w r = 1 (mod p) 
p ur = 1 (mod p) 
(p-1) | ur, 
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Let us write 



where p is odd, and 



where q is odd. Since 



we have that 



Hence 



and 



P - 1 = 2>i 



g - 1 = Vq, 



4>(n) = (p- !)(?-!) | (a&-l} = 2V 3 



* + j < 5 



JMi i 



Now, the condition (p - 1) I [«r becomes 2'p i I ur. Since p I r and r is odd, it is necessary and sufficient 

i i r 

that 2 I u. Hence, u = k2,0<k<p - 1, and the number of solutions to the congruence w = 1 (mod p) is 
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By an identical argument, the congruence w r = 1 (mod q) has exactly ql solutions. We can combine any 
solution modulo p with any solution modulo q to obtain a unique solution modulo n, using the Chinese 

remainder theorem. Consequently, the number of solutions to the congruence w r = (mod n) is P x <l x - 

The next step is to consider a congruence w 5 r = -1 (mod n) for a fixed value t (where 0<t<s- 1). 
Again, we first look at the congruence modulo p and then modulo q (note that ^ = — 1 (mod n) if and 
only if ttf 2 r = - 1 (mod p) and lu 3 r = — 1 (mod q). First, consider UJ S r = — 1 (mod p). Writing w = 
g u , as above, we get 

g u2<r = -1 (mcAp). 

(P 1V2 

Since g = - 1 (mod /?), we have that 



n — 1 

u2*t EE (mod p - 1) 

(P-DI («2*r-£^) 
2(p-l) | (^'r-(p-l)). 



Since p - 1 = 2p , we get 



2 a+L p3 \(u2 t+l r • r Pl ). 

Taking out a common factor of p , this becomes 



r«l(*S-*). 



Now, if ? > i, then there can be no solutions since 2 I 2 but z / * . On the other hand, if t < i - 1, 

i-t i 

then u is a solution if and only if u is an odd multiple of 2 (note that r/p i is an odd integer). So, the 
number of solutions in this case is 

P-I 1 ^ 
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By similar reasoning, the congruence tt> = — 1 (mod q) has no solutions if t > j, and 2 q solutions if 

2 l r ■ 1 

t<j - 1 . Using the Chinese remainder theorem, we see that the number of solutions of W = — 1 
(mod n) is 

0 if i > minj?, j] 
^■ 2t P\Qi ift< miTi{i t j} - 1. 

Now, t can range from 0 to s - 1. Without loss of generality, suppose i < j; then the number of solutions 
is 0 if t > i. The total number of "bad" choices for w is at most 

= + T}' 

i : 

Recall that p - 1 = 2p and q - 1 = 2fq . Now, j > i > 1 so < n/4. We also have that 



Hence, we obtain 



(1 2 2i \ n n 
U + Tj < 6 + 3 



2 



Since at most (n - l)/2 choices for w are "bad," it follows that at least (n - l)/2 choices are "good" and 
hence the probability of success of the algorithm is at least 1/2. 

4.6.2 Partial Information Concerning Plaintext Bits 

The other result we will discuss concerns partial information about the plaintext that might be "leaked" 
by an RSA encryption. Two examples of partial information that we consider are the following: 

1. given y = e(x), compute parity(y), where parityiy) denotes the low-order bit of x 

K 

2. given y = e (x), compute halfiy), where halfiy) = 0 if 0 < x < n/2 and halfiy) = 1 if nil <x<n 

K 

- 1. 
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We will prove that, given y = eJx), any algorithm that computes parityiy) or halfiy) can be used as an 

oracle to construct an algorithm that computes the plaintext x. What this means is that, given a 
ciphertext, computing the low-order bit of the plaintext is polynomially equivalent to determining the 
whole plaintext! 

First, we prove that computing parityiy) is polynomially equivalent to computing halfiy). This follows 
from the following two easily proved identities (see the exercises): 



parity(y) = hatf{y x mod n) 



(4-1) 
{4 2) 



and from the multiplicative rule e(x.)e(x) = e (x.x). 

K 1 K 2 K 12 

We will show how to compute x = d(y), given a hypothetical algorithm (oracle) which computes half 

K 

(y). The algorithm is presented in Figure 4. 1 1. In steps 2-4, we compute 

y, = halfiy x (ejc(2)) 4 ) = katf{e K (x x 2% 

for 0 < i < log n. We observe that 

& 2 



n u 



ft SftN T3Ti 7rA 



and so on. Hence, we can find x by a binary search technique, which is done in steps 7-11. Here is a 
small example to illustrate. 




Figure 4.11 Decrypting RSA ciphertext, given an oracle for computing half(y) 
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Example 4.12 



Suppose n = 1457, b = 779, and we have a ciphertext y = 722. eil) is computed to be 946. Suppose, 

K 

using our oracle for half, that we obtain the following values y. in step 3 of the algorithm: 
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Then the binary search proceeds as shown in Figure 4.12. Hence, the plaintext is x = [999.55] = 999. 
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4.7 The Rabin Cryptosystem 

In this section, we describe the Rabin Cryptosystem, which is computationally secure against a chosen- 
plaintext attack provided that the modulus n=pq cannot be factored. The system is described in Figure 
4.13. 
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Figure 4.12 Binary search for RSA decryption 

We will show that the encryption function e is not an injection, so decryption cannot be done in an 
unambiguous fashion. In fact, there are four possible plaintexts that could be the encryption of any given 

ciphertext. More precisely, let w be one of the four square roots of 1 modulo n. Let E € . Then, we 
can verify the following equations: 

•«(»("!) -!)-(»(«■ f) -!) (»("!)*!) 

-K)"-(!)* 

- + Dx + — — 

4 4 

= ar 2 + flr 
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(Note that all arithmetic is being done in ^ ti, and division by 2 and 4 is the same as multiplication by T l 
and 4" 1 modulo n, respectively.) 

The four plaintexts that encrypt to e (x) are x, -x - B, co(x + B/2) - B/2 and -co(x + BIT) - B/2, where CO is a 

non-trivial square root of 1 modulo n. In general, there will be no way for Bob to distinguish which of 
these four possible plaintexts is the "right" plaintext, unless the plaintext contains sufficient redundancy 
to eliminate three of these four possible values. 



Figure 4.13 Rabin Cryptosystem 

Let us look at the decryption problem from Bob's point of view. He is given a ciphertext y and wants to 
determine x such that 

+ Bx = y (mod n). 

This is a quadratic equation in the unknown x. We can eliminate the linear term by making the 
substitution x = x + B/2, or equivalently, x = x - B/2. Then the equation becomes 

x\ - Bx\ + — + Bxi - — - y = 0 (mod n), 
4 I 



or 



iJ 2 

x\ = — + y (mad n). 



2 

If we define C == B IA + y, then we can rewrite the congruence as 

x i = C (mod n) . 

So, decryption reduces to extracting square roots modulo n. This is equivalent to solving the two 
congruences 

= C (mod fj) 
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and 

x] = C (mod q). 

(There are two square roots of C modulo p and two square roots modulo q. Using the Chinese remainder 
theorem, these can be combined to yield four solutions modulo n.) We can use Euler's criterion to 
determine if C is a quadratic residue modulo p (and modulo q). In fact, C will be a quadratic residue 
modulo p and modulo q if encryption was performed correctly. But Euler's criterion does not help us 
find the square roots of C; it yields only an answer "yes" or "no." 

When p = 3 (mod 4), there is a simple formula to compute square roots of quadratic residues modulo p. 
Suppose C is a quadratic residue and p = 3 (mod 4). Then we have that 

= C {p-l)/2 C(mod p j 

= C (mod p). 

Here we again make use of Euler's criterion, which says that if C is a quadratic residue modulo p, then C 
(p-1)/2 s j ( m od /?). Hence, the two square roots of 7 modulo P are ±C (P+1)/4 mod p. In a similar fashion, 

the two square roots of 7 modulo g are ±C mod g. It is then straightforward to obtain the four 
square roots x , of C modulo « using the Chinese remainder theorem. 

REMARK It is interesting that for p = 1 (mod 4) there is no known polynomial-time deterministic 
algorithm to compute square roots of quadratic residues modulo p. There is a polynomial-time Las 
Vegas algorithm, however. 

Once we have determined the four possible values for jc , we compute x from the equation x = x - B/2 to 
get the four possible plaintexts. This yields the decryption formula 
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Example 4.13 

Let's illustrate the encryption and decryption procedures for the Rabin Cryptosystem with a toy 
example. Suppose n = 11 = 7x11 and 5 = 9. Then the encryption function is 



£k(£) = x 2 + §z mod 77 



and the decryption function is 



dtiiv) — V 1 + V - ^3 mod 77. 



Suppose Bob wants to decrypt the ciphertext y = 22. It is first necessary to find the square roots of 23 
modulo 7 and modulo 1 1 . Since 7 and 1 1 are both congruent to 3 modulo 4, we use our formula: 

23 (7+1)/4 = 2* = 4itkk17 




Figure 4.14 Factoring a Rabin modulus, given a decryption oracle 
and 

23 (U + I)/4 = l 1 = 1 mod 11. 

Using the Chinese remainder theorem, we compute the four square roots of 23 modulo 77 to be ±10, +32 
mod 77. Finally, the four possible plaintexts are: 
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10 - 43 mod 77 = 44 
67- 43 mud 77 -r 2-1 
32 - 43 mod 77 = 66 
45 - 43 mod 77 = 2, 

It can be verified that each of these plaintexts encrypts to the ciphertext 22. 

We now discuss the security of the Rabin Cryptosystem. We will prove that any hypothetical 
decryption algorithm A can be used as an oracle in a Las Vegas algorithm that factors the modulus n 
with probability at least 1/2. This algorithm is depicted in Figure 4.14. 

There are several points of explanation needed. First, observe that 



(-!)• 



so a value x will be returned in step 3. Next, we look at step 4 and note that — 7,3 (mod n). It follows 
that x = ±r (mod n) or x = ±cor (mod n), where CO is one of the non-trivial square roots of 1 modulo n. 

In the second case, we have 

n | (arj - r)(zi +r) a 

but n does not divide either factor on the right side. Hence, computation of gcd(jt + r, n) (or gcd(;t - r, 
n)) must yield either p or q, and the factorization of n is accomplished. 

Let's compute the probability of success of this algorithm, over all n - 1 choices for the random value r. 
For two non-zero residues r and r , define 

1 2 

r L - r a o rf = r| (mod n). 

It is easy to see that r ~ r for all r; r ~ r implies r ~ r ; and r ~ r and r ~ r together imply r ~ r . 

This says that the relation ~ is an equivalence relation. The equivalence classes of £f « all have 
cardinality four: the equivalence class containing r is the set 

[r| = {±r 1 ±wr mod n } r 

where CO is a non-trivial square root of 1 modulo n. 
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In the algorithm presented in Figure 4.14, any two values r in the same equivalence class will yield the 
same value y. Now consider the value x returned by the oracle A when given y. We have 

If r = ±y, then the algorithm fails; while it succeeds if r = ±coy. Since r is chosen at random, it is equally 
likely to be any of these four possible values. We conclude that the probability of success of the 
algorithm is 1/2. 

It is interesting that the Rabin Cryptosystem is provably secure against a chosen plaintext attack. 
However, the system is completely insecure against a chosen ciphertext attack. In fact the algorithm in 
Figure 4. 14, that we used to prove security against a chosen plaintext attack, also can be used to break 
the Rabin Cryptosystem in a chosen ciphertext attack! In the chosen ciphertext attack, the oracle A is 
replaced by Bob's decryption algorithm. 

4.8 Factoring Algorithms 

There is a huge amount of literature on factoring algorithms, and a careful treatment would require more 
pages than we have in this book. We will just try to give a brief overview here, including an informal 
discussion of the best current factoring algorithms and their use in practice. The three algorithms that are 
most effective on very large numbers are the quadratic sieve, the elliptic curve algorithm and the number 
field sieve. Other well-known algorithms that were precursors include Pollard's rho-method and p - 1 
algorithm, Williams' p + 1 algorithm, the continued fraction algorithm, and of course, trial division. 

Throughout this section, we suppose that the integer n that we wish to factor is odd. Trial division 

consists of dividing n by every odd integer up to Lv^J . If n < 10 , say, this is a perfectly reasonable 
factorization method, but for larger n we generally need to use more sophisticated techniques. 




Figure 4.15 The p - 1 factoring algorithm 
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4.8.1 The p - 1 Method 

As an example of a simple algorithm that can sometimes be applied to larger integers, we describe 
Pollard's p - 1 algorithm, which dates from 1974. This algorithm, presented in Figure 4.15, has two 
inputs: the (odd) integer n to be factored, and a "bound" B. Here is what is taking place in the p - 1 
algorithm: Suppose p is a prime divisor of n, and q < B for every prime power q I (p - 1). Then it must be 
the case that 



At the end of the for loop (step 2), 



a = 2 m (mod n) 3 



so 



a = 2 B: (mod p) 

since p I «. Now, 

2 P_1 = 1 (mod p) 

by Fermat's theorem. Since (p - 1) I [6!, we have that 

a = 1 (mod p) 

(in step 3). Thus, in step 4, 

Pl(a-U 

and 
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so 

p\d = gcd(a - 1 s ti). 

The integer d will be a non-trivial divisor of n (unless a = 1 in step 3). Having found a non-trivial factor 
d, we would then proceed to attempt to factor d and nld if they are composite. 

Here is an example to illustrate. 

Example 4. 14 

Suppose n = 15770708441. If we apply the p - 1 algorithm with B = 180, then we find that a = 

1 1620221425 in step 3, and d is computed to be 135979. In fact, the complete factorization of n into 

primes is 

15770708441 = 135979 x 115979, 

in this case, the factorization succeeds because 135978 has only "small" prime factors: 

135978 = 2 x 3 x 131 x 173. 

Hence, by taking B > 173, it will be the case that 135978 I B!, as desired. 

In the algorithm, there are B - 1 modular exponentiations, each requring at most 21og 2 B modular 
multiplications using square-and-multiply. The gcd computation can be done in time 0((log n) ) using 

2 3 

the Euclidean algorithm. Hence, the complexity of the algorithm is 0(B log fi(log n) + (log n) ). If the 

i 

integer B is 0((log n) ) for some fixed integer i, then the algorithm is indeed a polynomial-time 
algorithm; however, for such a choice of B the probability of success will be very small. On the other 

hand, if we increase the size of B drastically, say to V^, then the algorithm will be successful, but it will 
be no faster than trial division. 

Thus, the drawback of this method is that it requires n to have a prime factor p such that p - 1 has only 
"small" prime factors. It would be very easy to construct an RSA modulus n=pq which would resist 
factorization by this method. One would start by finding a large prime p l such that p = 2p + 1 is also 

prime, and a large prime q such that q = 2q + 1 is also prime (using one of the Monte Carlo primality 
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testing algorithms discussed in Section 4.5). Then the RSA modulus n=pq will be resistant to 
factorization using the p - 1 method. 

The more powerful elliptic curve algorithm, developed by Lenstra in the mid- 1980' s, is in fact a 
generalization of the p - 1 method. We will not discuss the theory at all here, but we do mention that the 
success of the elliptic curve method depends on the more likely situation that an integer "close to" p has 

only "small" prime factors. Whereas the p - 1 method depends on a relation that holds in the group 
the elliptic curve method involves groups defined on elliptic curves modulo p. 

4.8.2 Dixon's Algorithm and the Quadratic Sieve 

Dixon's algorithm is based on a very simple idea that we already saw in connection with the Rabin 

Cryptosystem. Namely, if we can find ^ (mod n) such that x = y 2 (mod n), then gcd(x - y, n) is 

a non-trivial factor of n. 

The method uses a. factor base, which is a set 3 "small" primes. We first obtain several integers x such 

that all the prime factors of x 2 mod n occur in the factor base 13. (How this is done will be discussed a 
bit later.) The idea is to then take the product of several of these x's in such a way that every prime in the 

2 2 

factor base is used an even number of times. This then gives us a congruence of the desired type x = y 
(mod n), which (we hope) will lead to a factorization of n. 

We illustrate with a carefully contrived example. 

Example 4.15 

Suppose n = 15770708441 (this was the same n that we used in Example 4.14). Let 
B = {2,3, 5, 7, 11, 13} Consider the three congruences: 

S34093.1L36 Y =3*7 (mod n) 
12044042944 3 s 2 x 7 ?< 13 (mod n) 
'277370001 1* = 2 x3n 13 (mod n). 

If we take the product of these three congruences, then we have 

(3340934 15G x 12044 &t 2944 x 277370001 1) 5 =[2x3 x 7 x YSf (mod n). 
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Reducing the expressions inside the parentheses modulo n, we have 

9503435785 2 = 546* (mod n). 

Then we compute 

gcd(9503435735-546, 15770708441) = 115759, 

finding the factor 1 15759 of n. 

Suppose & ~~ ' \Pi i " ■ * I is the factor base. Let C be slightly larger than B (say C = B + 10), and 
suppose we have obtained C congruences: 

Xj* - Pi aiJ X p/ 1 *' , . , !< pf t ai " {mod n), 

for 1 < j < C. For each j, consider the vector 

ttj — [tt\j mod 2, . , . , ciuj mod 2) € [TvY* - 

If we can find a subset of the a.'s that sum modulo 2 to the vector (0, . . . , 0), then the product of the 
corresponding jc 's will use each factor in $3 an even number of times. 

We illustrate by returning to Example 4.15, where there exists a dependence even though C < B in this 
case. 

Example 4.15 (Cont.) 



The three vectors a^a^, are as follows: 
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fti = (0,1.0,1,0,0) 
«a =(1,0,0,1,0,1) 
a, =(1,1,0,0,0,1) 



It is easy to see that 



o, +a s + a 3 = (0,0,0,0,0,0) mod 2. 

This gives rise to the congruence we saw earlier that successfully factored n. 

Observe that finding a subset of the C vectors . . . ,a that sums modulo 2 to the all-zero vector is 

nothing more than finding a linear dependence (over ^2) of these vectors. Provided C> B, such a linear 
dependence must exist, and it can be found easily using the standard method of Gaussian elimination. 
The reason why we take C > B + 1 is that there is no guarantee that any given congruence will yield the 
factorization of n. Approximately 50% of the time it will turn out that x = ±y (mod n). But if C > B + 1, 
then we can obtain several such congruences (arising from different linear dependencies among the a ,'s). 

Hopefully, at least one of the resulting congruences will yield the factorization. 

It remains to discuss how we obtain integers x such that the values x mod n factor completely over the 

factor base 13. There are several methods of doing this. One common approach is the Quadratic Sieve 

due to Pomerance, which uses integers of the form %i = J + LV^J 'i ^ 1> 2, . . The name "quadratic 
sieve" comes from a sieving procedure (which we will not describe here) that is used to determine those 

x 's that factor over 13: 

j 

There is, of course, a trade-off here: if 

B = \B\ 

is large, then it is more likely that an integer x. factors 

over 13. But the larger B is, the more congruences we need to accumulate before we are able to find a 
dependence relation. The optimal choice for B is approximately 

\J gVln n In Inn^ 

and this leads to an expected running time of 

Q ^(l+oa^Vlnnlnliin^ 

The number field sieve is a more recent factoring algorithm from the late 1980's. It also factors n by 
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2 2 

constructing a congruence x = y (mod n), but it does so by means of computations in rings of algebraic 
integers. 

4.8.3 Factoring Algorithms in Practice 

The asymptotic running times of the quadratic sieve, elliptic curve and number field sieve are as follows: 



quadratic sieve 


0 




elliptic curve 


0 




number field sieve 


0 


f e ( 1.92-Ml))(!™) l '*0nlTi b) * /S \ 



The notation o(l) denotes a function of n that approaches 0 as n -► °°, and /? denotes the smallest prime 
factor of n. 

In the worst case, P ^ and the asymptotic running times of the quadratic sieve and elliptic curve 
algorithms are essentially the same. But in such a situation, quadratic sieve generally outperforms 
elliptic curve. The elliptic curve method is more useful if the prime factors of n are of differing size. One 

gll 

very large number that was factored using the elliptic curve method was the Fermat number 1" — 1 in 
1988 by Brent. 

For factoring RSA moduli (where n = pq, p, q are prime, and p and q are roughly the same size), the 
quadratic sieve is currently the most successful algorithm. Some notable milestones have included the 
following factorizations. In 1983, the quadratic sieve successfully factored a 69-digit number that was a 

251 

(composite) factor of 2 - 1 (this computation was done by Davis, Holdridge, and Simmons). Progress 
continued throughout the 1980's, and by 1989, numbers having up to 106 digits were factored by this 
method by Lenstra and Manasse, by distributing the computations to hundreds of widely separated 
workstations (they called this approach "factoring by electronic mail"). 

More recently, in April 1994, a 129-digit number known as RSA- 129 was factored by Atkins, Graff, 
Lenstra, and Leyland using the quadratic sieve. (The numbers RSA- 100, RSA-1 10, ... , RSA-500 are a 
list of RSA moduli publicized on the Internet as "challenge" numbers for factoring algorithms. Each 
number RSA-J is a J-digit number that is the product of two primes of approximately the same length.) 
The factorization of RSA- 129 required 5000 MlPS-years of computing time donated by over 600 
researchers around the world. 

The number field sieve is the most recent of the three algorithms. It seems to have great potential since 
its asymptotic running time is faster than either quadratic sieve or the elliptic curve. It is still in 
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developmental stages, but people have speculated that number field sieve might prove to be faster for 
numbers having more than about 125-130 digits. In 1990, the number field sieve was used by Lenstra, 

Lenstra, Manasse, and Pollard to factor 2'^ - I into three primes having 7, 49 and 99 digits. 
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4.9 Notes and References 

The idea of public-key cryptography was introduced by Diffie and Hellman in 1976. Although [DH76A] 
is the most cited reference, the conference paper [DH76] actually appeared a bit earlier. The RSA 
Cryptosystem was discovered by Rivest, Shamir and Adleman [RSA78]. The Rabin Cryptosystem 
was described in Rabin [RA79] ; a similar provably secure system in which decryption is unambiguous 
was found by Williams [Wl80]. For a general survey article on public-key cryptography, we recommend 
Diffie [DI92]. 

The Solovay-Strassen test was first described in [SS77]. The Miller-Rabin test was given in [Ml76] and 
[RA80]. Our discussion of error probabilities is motivated by observations of Brassard and Bratley 
[BB88A, §8.6] (see also [BBCGP88]). The best current bounds on the error probability of the Miller- 
Rabin algorithm can be found in [DLP93]. 

The material in Section 4.6 is based on the treatment by Salomaa [SA90, pp. 143-154]. The factorization 
of n given the decryption exponent was proved in [DE84] ; the results on partial information revealed by 
RSA is from [GMT82]. 

As mentioned earlier, there are many sources of information on factoring algorithms. Pomerance [PO90] 
is a good survey on factoring, and Lenstra and Lenstra [LL90] is a good article on number-theoretic 
algorithms in general. Bressoud [BR89] is an elementary textbook devoted to factoring and primality 
testing. Cryptography textbooks that emphasize number theory include Koblitz [K094] and Kranakis 
[KR86]. Lenstra and Lenstra [LL93] is a monograph on the number field sieve. 

Exercises 4.7-4.9 give some examples of protocol failures. For a nice article on this subject, see Moore 
[M092]. 

Exercises 

4.1 Use the Extended Euclidean algorithm to compute the following multiplicative inverses: 
(a) 17" 1 mod 101 
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(b) 357" 1 mod 1234 

(c) 3125 _1 mod 9987. 

4.2 Solve the following system of congruences: 

x ~ 12 (mod 2b) 
x = 9 (mod 26) 
x = 22 (mod 27). 

4.3 Solve the following system of congruences: 

13r = 1 (mod 99) 
I5i = 56 (mod 101). 

HINT First use the Extended Euclidean algorithm, and then apply the Chinese remainder 
theorem. 

4.4 Here we investigate some properties of primitive roots. 

(a) The integer 97 is prime. Prove that x ± 0 is a primitive root modulo 97 if and only if 
z 22 $ 1 (mod 97) and £ (mod 97). 

(b) Use this method to find the smallest primitive root modulo 97. 

(c) Suppose p is prime, and p - 1 has prime power factorization 



n 




i-1 



where the p.'s are distinct primes. Prove that x ± 0 is a primitive root modulo p if and only 
if x^~ l)ffi $ 1 (mod p) for 1 < i < n. 

4.5 Suppose that n = pq, where p and q are distinct odd primes and ab=l (mod (p -l)(q - 1)). 
The RSA encryption operation is e(x) = x b mod n and the decryption operation is d(y) = y a mod n. 
We proved that d{e{x)) = x if ^ € S R . Prove that the same statement is true for any I € Z TL . 

HINT Use thr fact that x j = x 2 (mod pq) if and only if x^ = x^ (mod /?) and x^ = x^ (mod q). This 
follows from the Chinese remainder theorem. 

4.6 Two samples of RSA ciphertext are presented in Tables 4. 1 and 4.2. Your task is to decrypt 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch04/156-161.html (2 of 8)12/6/2003 9:18:34 AM 



Cryptography: Theory and Practice:The RSA System and Factoring 



them. The public parameters of the system are n = 18923 and b = 1261 (for Table 4.1) and n = 
31313 and b = 4913 (for Table 4.2). This can be accomplished as follows. First, factor n (which is 
easy because it is so small). Then compute the exponent a from §(n), and, finally, decrypt the 
ciphertext. Use the square-and-multiply algorithm to exponentiate modulo n. 

In order to translate the plaintext back into ordinary English text, you need to know how 
alphabetic characters are "encoded" as elements in Each element of 



Table 4.1RSA Ciphertext 



1 949^ 
1 Z^-ZJ 


I 1 S94 

I I JZ^l 


794^ 


74SQ 


1 4^0^ 

1^+909 


61 97 
OIZ / 


1 0Q64 


1 6^QQ 


Q7Q9 

y 1 ?Z 


1 ^69Q 


1 4407 


1 881 7 
loot / 


1 88^0 


1 J J JO 


^1 SQ 

j 1 Jy 


1 6647 
1 OOM- / 


s^oo 


1 ^QS1 
1 Jy J 1 


81 
O 1 


8Q86 


8007 
ouu / 


1 ^1 67 

1 J ID / 


1 0099 
1UUZZ 


1 791 ^ 
1 / z 1 J 


9964 


Q61 

y\j L 


1 74SQ 


4101 
■4-1U1 


9QQQ 

Lyyy 


1 4S6Q 


1718^ 
1 / 109 


1 S897 
1 JOZ / 


1 96Q^ 
1 ZD7J 


7JJJ 


1 81 QzL 

lOl 7t 


^8^0 


ZOOM- 


1 QQQC 
1 jyyo 


1 9S01 
1ZJU1 


1 887^ 
1 00 / J 


1Z1U1 


1 ^071 


1 6QOO 


79^ 

/ ZjJ 


8970 
OZ / u 


1 7086 
1 /UoD 


Q7Q9 

y 1 y A 


1 4966 

1H-ZUU 


1 ^9^6 


s^oo 

J9UU 


1 ^QS1 


88SO 
00 JU 


1 91 9Q 
izizy 


60Q1 


18110 
101 1U 


^^9 

J J J A 


1 S061 


1 9^47 


781 7 
/ 0 1 / 


7Q46 


1 1 67S 

1 ID / J 


1 ^Q94 
1 JyA'-v 


1 ^8Q9 
l JoyA 


1 80^1 
1 OUJ 1 


9690 
zuzu 


6976 
OZ / D 


ssoo 


901 
ZUl 


88S0 
00 JU 


1 1 1 78 
lll/o 


1 6477 


1 01 61 

1U1D1 


JJJJ 


1 ^849 
190^+Z 


7S^7 

/ J9 / 


1 99SQ 


18110 
lol 1U 


44 


9^64 
Z JD^t 


1 SS70 
1 J J /U 


^460 


Q886 
700D 


8687 
OOO / 


4481 


1 1 9^1 

1 IZJ 1 


7S47 
/ jm- / 


I 1 ^8^ 

I I JO J 


1 7Q1 0 

1 / y 1U 


1 9867 
1 zoo / 


1 ^9fn 


S1 09 

J luZ 


4749 

t / H-Z 


SOS^ 

JUJ J 


1 S407 
1 JM-U / 


9Q76 

Z7 / D 


Q^O 

7JJU 


1 91 Q9 


S6 

JO 


9471 


1 S^4 
1999^1 


841 


i9yyj 


1 7<Q9 
1 / J7Z 


1 ^9Q7 
1 j Ay 1 


9znn 


Q741 


1 1 67S 

1 ID / J 


494 


6686 


7^8 

/JO 


1 ^874 
1 JO /'+ 


81 68 
O lOO 


7Q1 ^ 

/ y 1 J 


6946 


1 4^01 


1 1 44 


Q0S6 

7UJD 


1 SQ67 

1 Jr/O 1 


7^98 
/ JZO 


1 ^90^ 
1 JZUJ 


7Q6 


1 QS 


Q879 

yo 1 Z 


1 6Q7Q 
v\jy ly 


1 S404 


1 41 ^0 
1^+190 


Q1 OS 
yiuj 


9001 
ZUUl 


Q7Q9 

y 1 yA 


1 49S1 


1 4Q8 


I 1 9Q6 

I I Ay\j 


1 1 OS 

1 1UJ 


4S09 
tJUZ 


1 6Q7Q 
IO7 ly 


1 1 OS 

1 1UJ 


56 


4118 


11302 


5988 


3363 


15827 


6928 


4191 


4277 


10617 


874 


13211 


11821 


3090 


18110 


44 


2364 


15570 


3460 


9886 


9988 


3798 


1158 


9872 


16979 


15404 


6127 


9872 


3652 


14838 


7437 


2540 


1367 


2512 


14407 


5053 


1521 


297 


10935 


17137 


2186 


9433 


13293 


7555 


13618 


13000 


6490 


5310 


18676 


4782 


11374 


446 


4165 


11634 


3846 


14611 


2364 


6789 


11634 


4493 


4063 


4576 


17955 


7965 


11748 


14616 


11453 


17666 


925 


56 


4118 


18031 


9522 


14838 


7437 


3880 


11476 


8305 


5102 


2999 
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18628 14326 9175 9061 650 18110 8720 15404 

2951 722 15334 841 15610 2443 11056 2186 



&>n represents three alphabetic characters as in the following examples: 

DOG -> 3 x 26 2 + 14 x 26 + 6 = 2338 
CAT 2 x 26 2 + 0 x 26 +- 19 = 1371 

ZZZ -> 25 x 26- -r 25 x 26 + 25 = 17575. 

You will have to invert this process as the final step in your program. 

The first plaintext was taken from "The Diary of Samuel Marchbanks," by Robertson Davies, 
1947, and the second was taken from "Lake Wobegon Days," by Garrison Keillor, 1985. 

4.7 This exercise exhibits what is called a protocol failure . It provides an example where 
ciphertext can be decrypted by an opponent, without determining the key, if a cryptosystem is 
used in a careless way. (Since the opponent does not determine the key, it is not accurate to call it 
cryptanalysis.) The moral is that it is not sufficient to use a "secure" cryptosystem in order to 
guarantee "secure" communication. 

Suppose Bob has an RSA Cryptosystem with a large modulus n for which the factorization 
cannot be found in a reasonable amount of time. Suppose Alice sends 



Table 4.2RSA Ciphertext 



6340 


8309 


14010 


8936 


27358 


25023 


16481 


25809 


23614 


7135 


24996 


30590 


27570 


26486 


30388 


9395 


27584 


14999 


4517 


12146 


29421 


26439 


1606 


17881 


25774 


7647 


23901 


7372 


25774 


18436 


12056 


13547 


7908 


8635 


2149 


1908 


22076 


7372 


8686 


1304 


4082 


11803 


5314 


107 


7359 


22470 


7372 


22827 


15698 


30317 


4685 


14696 


30388 


8671 


29956 


15705 


1417 


26905 


25809 


28347 


26277 


7897 


20240 


21519 


12437 


1108 


27106 


18743 


24144 


10685 


25234 


30155 


23005 


8267 


9917 


7994 


9694 


2149 


10042 


27705 


15930 


29748 


8635 


23645 


11738 


24591 


20240 


27212 
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9741 
y / *t i 


91 49 


99399 


1 81 S4 

1 O 1 Jt 


99319 


9770S 




914Q 


1 6Q7S 


1 6087 


14600 


1 9554 


93614 


7553 

/ J JJ 


4734 


^18^ 

J) 1 O J 


17347 


9S914 


TJ7J 


6000 


31280 


29413 


2066 


25973 


4477 


30989 





9149 


5501 


1401 5 


301 55 


919S4 


1 ^694 


^94Q 


S44^ 

J'rtJ 


9770S 


1 0^86 


7^9S 


96977 

z,uz, / / 


8091 


93973 


1401 5 


107 
lu/ 


21498 


6360 


19837 


8463 


369 


23204 


8425 


7792 



a message to Bob by representing each alphabetic character as an integer between 0 and 25 (i.e., 
A 0, B 1, etc.), and then encrypting each residue modulo 26 as a separate plaintext 
character. 

(a) Describe how Oscar can easily decrypt a message which is encrypted in this way. 

(b) Illustrate this attack by decrypting the following ciphertext (which was encrypted 
using an RSA Cryptosystem with n - 18721 and b = 25) without factoring the modulus: 

365, 0, 4845, 14930, 2608, 2608. 0 

4.8 This exercise illustrates another example of a protocol failure (due to Simmons) involving 
RSA; it is called the common modulus protocol failure. Suppose Bob has an RSA Cryptosystem 
with modulus n and decryption exponent b , and Charlie has an RSA Cryptosystem with (the 

same) modulus n and decryption exponent b^ Suppose also that gcd(^ j? & ) = 1. Now, consider 

the situation that arises if Alice encrypts the same plaintext x to send to both Bob and Charlie. 

Thus, she computes f ■ - mod n and Ift — £ ^ mod n, and then she sends y to Bob and y 2 to 

Charlie. Suppose Oscar intercepts y and y , and performs the computations indicated in Figure 

4.16. 

(a) Prove that the value x computed in step 3 of Figure 4.16 is in fact Alice's plaintext, x. 

Thus, Oscar can decrypt the message Alice sent, even though the cryptosystem may be 
"secure." 

(b) Illustrate the attack by computing x by this method if n = 18721, b = 43, b^ = 7717, y 
= 12677 andy = 14702. 

4.9 We give yet another protocol failure involving RSA. Suppose that three users in a network, 
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say Bob, Bart and Bert, all have public encryption exponents b = 3. 



Figure 4.16 RSA common modulus protocol failure 

Let their moduli be denoted by n^. Now suppose Alice encrypts the same plaintext x to 

send to Bob, Bart and Bert. That is, Alice computes y. = x 3 mod n\ 1 < i < 3. Describe how Oscar 
can compute x, given y , y 2 and y , without factoring any of the moduli. 

4.10 A plaintext x is said to be fixed if e(x) = x. Show that, for the RSA Cryptosystem, the 

K 

number of fixed plaintexts ^ € Z n j s equal to gcd(& - 1, p - 1) x gcd(b -1, q - 1). 



HINT Consider the system of two congruences e (x) = x (mod p), e (x) = x (mod q). 

K K 

4.11 Suppose A is a deterministic algorithm which is given as input an RSA modulus n, an 
encryption exponent b, and a ciphertext y. A will either decrypt y or return no answer. Supposing 
that there are e (n - 1) ciphertexts which A is able to decrypt, show how to use A as an oracle in a 
Las Vegas decryption algorithm having success probability e . 

HINT Use the multiplicative property of RSA that e(x.)e(x) = ejxx), where all arithmetic 

a 1 a 2 A 1 2 

operations are modulo n. 

4.12 Write a program to evaluate Jacobi symbols using the four properties presented in Section 
4.5. The program should not do any factoring, other than dividing out powers of two. Test your 
program by computing the following Jacobi symbols: 

/610\ / 20964 \ / 1234567 \ 
1,987 J 1 \ 1987 / * Ulllllll/ ' 

4.13 For n = 837, 851 and 1 189, find the number of bases 6 such that n, is an Euler pseudo-prime 
to the base b. 

4.14 The purpose of this question is to prove that the error probability of the Solovay-Strassen 
primality test is at most 1/2. Let «n denote the group of units modulo n. Define 

<?(n) ={a:aeZ„*,^)E 0 <— O/n ( mod „) J . 
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(a) Prove that G(n) is a subgroup of . Hence, by Lagranges theorem, if G(tt) £ Zn ? 
then 

|C(»)| < &f. < V- 

(b) Suppose n= p q, where p and q are odd, /? is prime, k>2, and gcd(p, q) = 1 . Let a = 1 
+ /? 1 g. Prove that 

5* (mod n). 

HINT Use the binomial theorem to compute a 

(c) Suppose n=p i , . . . p , where the p.'s are distinct odd primes. Suppose a = u (mod z^) 
and a = 1 (mod . . . /? ), where w is a quadratic non-residue modulo /? 1 (note that such 
an a exists by the Chinese remainder theorem). Prove that 

(i) s _ 1(nwdn) , 

but 

SO 

(d) If n is odd and composite, prove that \G(ri)\ <(n- l)/2. 

(e) Summarize the above: prove that the error probability of the Solovay-Strassen 
primality test is at most 1/2. 

4.15 Suppose we have a Las Vegas algorithm with failure probability e . 

(a) Prove that the probability of first achieving success on the nth trial is p = e (1 - e ). 

(b) The average (expected) number of trials to achieve success is 
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OO 

(n x p n ). 
n=l 

Show that this average is equal to 1/(1 - e ). 

(c) Let 8 be a positive real number less than 1. Show that the number of iterations required 
in order to reduce the probaility of failure to at most 8 is 

tafia ^ 
.toga* J 

4.16 Suppose Bob has carelessly revealed his decryption exponent to be a = 14039 in an RSA 
Cryptosystem with public key n = 36581 and b = 4679. Implement the probablistic algorithm to 
factor n given this information. Test your algorithm with the "random" choices w = 9983 and w = 
13461. Show all computations. 

4.17 Prove Equations 4.1 and 4.2 relating the functions half and parity. 

4.18 Suppose p = 199, g = 21 1 and B = 1357 in the Rabin Cryptosystem. Perform following 
computations. 

(a) Determine the four square roots of 1 modulo n, where n = pq. 

(b) Compute the encryption y = e (32767). 

(c) Determine the four possible decryptions of this given ciphertext y. 

4.19 Factor 262063 and 9420457 using the p - 1 method. How big does B have to be in each case 
to be successful? 
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Chapter 5 

Other Public-key Cryptosystems 

In this chapter, we look at several other public -key cryptosystems. The ElGamal Cryptosystem is 
based on the Discrete Logarithm problem, which we will have occasion to use in numerous 
cryptographic protocols throughout the rest of the text. Thus we devote a considerable amount of time to 
discussion of this important problem. In later sections, we give relatively brief treatments of some other 
well-known public-key cryptosystems. These include ElGamal-type systems based on finite fields and 
elliptic curves, the (broken) Merkle-Hellman Knapsack Cryptosystem and the McEliece 
Cryptosystem. 

5.1 The ElGamal Cryptosystem and Discrete Logs 

The ElGamal Cryptosystem is based on the Discrete Logarithm problem. We begin by describing this 
problem in the setting of a finite field - P, where p is prime, in Figure 5.1. (Recall that the multiplicative 
group *p is cyclic, and a generator of p is called a primitive element.) 

The Discrete Logarithm problem in ^p has been the object of much study. The problem is generally 
regarded as being difficult if p is carefully chosen. In particular, there is no known polynomial-time 
algorithm for the Discrete Logarithm problem. To thwart known attacks, p should have at least 150 
digits, and p - 1 should have at least one "large" prime factor. The utility of the Discrete Logarithm 
problem in a cryptographic setting is that finding discrete logs is (probably) difficult, but the inverse 
operation of exponentiation can be computed efficiently by using the square-and-multiply method 
described earlier. Stated another way, exponentiation modulo p is a one-way function for suitable primes 

P- 

ElGamal has developed a public-key cryptosystem based on the Discrete Logarithm problem. This 
system is presented in Figure 5.2. 

The ElGamal Cryptosystem is non-deterministic, since the ciphertext depends on both the plaintext x 
and on the random value k chosen by Alice. So there will be many ciphertexts that are encryptions of the 
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same plaintext. 



hi m hj fe ■ ■ ■ p k 

<1 ""•*— 1 H 



Figure 5.1 The discrete logarithm problem in 



r - - _ — 1 r 
, .J_. 



Figure 5.2 ElGamal Public-key Cryptosystem in 



V 



Informally, this is how the ElGamal Cryptosystem works. The plaintext* is "masked" by multiplying 

k k 

it by p , yielding y . The value a is also transmitted as part of the ciphertext. Bob, who knows the secret 

k k k 

exponent a, can compute p from p . Then he can "remove the mask" by dividing y 2 by p to obtain x. 

A small example will illustrate. 
Example 5.1 

Suppose p = 2579, a = 2,a = 765, and hence 

fj - 2 7 * 5 mod 2579 = 919. 

Now, suppose that Alice wishes to send the message x = 1299 to Bob. Say k = 853 is the random integer 
she chooses. Then she computes 

yi = 2 s53 mod 2579 



and 



y 2 = 1299 x 949 8 * 3 mod 2579 
= 2396. 



When Bob receives the ciphertext y = (435, 2396), he computes 
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x = 239G x mod 2579 

which was the plaintext that Alice encrypted. 

5.1.1 Algorithms for the Discrete Log Problem 

Throughout this section, we assume that p is prime and a is a primitive element modulo p. We take p 
and oc to be fixed. Hence the Discrete Logarithm problem can be phrased in the following form: Given 

$ ^ ^J* , find the unique exponent a, 0 < a < p - 2, such that a = (3 (mod p). 

Clearly, the Discrete Logarithm problem can be solved by exhaustive search in 0(p) time and 0(1) 

a 

space (neglecting logarithmic factors). By precomputing all possible values a , and sorting the ordered 

a 

pairs (a, a mood p) with respect to their second coordinates, we can solve the discrete log problem in O 
(1) time with 0(p) precomputation and 0(p) memory (again, neglecting logarithmic factors). The first 
non-trivial algorithm we describe is a time-memory trade-off due to Shanks. 



Figure 5.3 Shanks' algorithm for the discrete logarithm problem 
Shanks' Algorithm 

Denote m = . Shanks' algorithm is presented in Figure 5.3. Some comments are in order. First, 

steps 1 and 2 can be precomputed, if desired (this will not affect the asymptotic running time, however). 
Next, observe that if (j, y) g and (i, y) e L , then 



so 



as desired. Conversely, for any (3, we can write 
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where 0 <j,i < m - 1. Hence, the search in step 5 will be successful. 



It is not difficult to implement the algorithm to run in 0{m) time with 0(m) memory (neglecting 
logarithmic factors). Note that step 5 can be done with one (simultaneous) pass through each of the two 
lists L and L . 

1 2 

Here is a small example to illustrate. 

Example 5.2 

Suppose p = 809, and we wish to find log 3 525. So we have a = 3, (3 = 525 and m = IVS&Bl = 23. Then 

a 29 mod 809 = 99. 

First, we compute the ordered pairs (j, 99 / mod 809) for 0<j< 28. We obtain the list 



(0, 1) 


(1,99) 


(2, 93) 


(3, 308) 


(4, 559) 


(5, 329) 


(6,211) 


(7, 664) 


(8, 207) 


(9, 268) 


(10, 644) 


(11,654) 


(12, 26) 


(13, 147) 


(14, 800) 


(15,727) 


(16, 781) 


(17, 464) 


(18, 632) 


(19, 275) 


(20, 528) 


(21,496) 


(22, 564) 


(23, 15) 


(24, 676) 


(25, 586) 


(26, 575) 


(27, 295) 


(28, 81) 





which is then sorted to produce L 
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The second list contains the ordered pairs 0", 525 x (3'r mod 809), 0 < j < 28. It is as follows: 



(0, 525) 


(1, 175) 


(2, 328) 


(3, 379) 


(4, 396) 


(5, 132) 


(6, 44) 


(7, 554) 


(8, 724) 


(9,511) 


(10, 440) 


(11,686) 


(12, 768) 


(13, 256) 


(14, 355) 


(15, 388) 


(16, 399) 


(17, 133) 


(18, 314) 


(19, 644) 


(20, 754) 


(21,521) 


(22,713) 


(23, 777) 


(24, 259) 


(25, 356) 


(26, 658) 


(27, 489) 


(28, 163) 





After sorting this list, we get L^. 

Now, if we proceed simultaneously through the two sorted lists, we find that (10, 644) is in L J and (19, 
644) is in L^. Hence, we can compute 

log 3 525 = 29 x 10+ 19 
= 309. 

As a check, it can be verified that indeed 3 309 = 525 (mod 809). 
The Pohlig-Hellman Algorithm 

The next algorithm we study is the Pohlig-Hellman algorithm. Suppose 

tt 

where the f.'s are distinct primes. The value a = log^ (3 is determined (uniquely) modulo p - 1. We first 
observe that if we can compute a mod P> for each i, 1 < i < k, then we can compute a mod (p - 1) by 
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the Chinese remainder theorem. So, let's suppose that q is prime, 

p - 1 = 0 (mod q c ) 

and 

p- 1 ^0(mod^ +1 ). 

We will show how to compute the value 

x = a mod g c , 

where 0 < x < q - 1. We can express x in radix q representation as 

c-l 

■=□ 

where 0 <a.<q- 1 for 0 < / < c - 1. Also, observe that we can express a as 

a = x + <fs 

for some integer s. 

The first step of the algorithm is to compute a Q . The main observation is that 

To see this, note that 

so it suffices to show that 

a <P-m*+l°*)/l = ff (P-D**/4 (mod p) L 

This will be true if and only if 
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However, we have 

(ji- (p - Ifa) p - 1 



[mod p- 1), 



P- 



= 0 [mtKl p — L). 

which was what we wanted to prove. 

Hence, we begin by computing (3 (p " 1)/q mod p. If 

0<*- l "* = l(modp), 

then a Q = 0. Otherwise, we successively compute 

7 = qIp- 1 !/* mo d Pt y mod p,. .. , 

until 

for some i. When this happens, we have a Q = i- 

Now, if c = 1, we're done. Otherwise c> 1, and we proceed to determine a . To do this, we define 

ft = 0cT a ° 

and denote 
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It is not hard to see that 

t-L 

Hence, it follows that 

ft**-™? = (mod *>). 

So, we will compute (3 i (p " 1) q mod /?, and then find i such that 

Then we have a = i. 

If c = 2, we are now finished; otherwise, we repeat this process c - 2 more times, obtaining a^,..., ^ 

A pseudo-code description of the Pohlig-Hellman algorithm is given in Figure 5.4. In this algorithm, a 
is a primitive element modulo p, q is prime, 

p - 1 = 0 (mod q c ) 

and 

The algorithm calculates a n ,..., a where 

0 c-l 

c-l 

kg* 0 mod if = J^atf'. 

4=0 

We illustrate the Pohlig-Hellman algorithm with a small example. 
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r-C i -J 
14- 

4 V-i 



Figure 5.4 Pohlig-Hellman algorithm to compute log a (3 mod q 

Example 5.3 
Suppose p = 29; then 

n=p - 1 = 28 = 2 2 ? 1 . 

Suppose a = 2 and (3 = 18, so we want to determine a = log 2 18. We proceed by first computing a mod 4 
and then computing a mood 7. 

We start by setting q = 2 and c = 2. First, 

70 = 1 



and 



71 = Ct J8/1 mod 29 
= 2 lJ| mod 29 
= 2S 



Next, 



* = 311/3 mod 29 
- IS 14 mwl 29 
= 28. 



Hence, a Q = 1 . Next, we compute 



& = Ajcr -1 mod 29 
= 9, 



and 
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tft ?B/J mod 29 = 9' motl 29 

= 2$. 

Since 

7l = 28 mod 29, 

we have a = 1. Hence, a = 3 (mod 4). 
Next, we set q = 7 and c = 1 . We have 

0™ /T mod 29 = 18* mod 29 
= 25 



and 



7i = n 2 ** 7 mod 29 
= 2* mod 29 
= J6. 



Then we would compute 



72=24 

T& = 7 
74 = 26. 

Hence, a Q = 4 and a < 4 (mod 7). 
Finally, solving the system 

(i = 3 (mod 4) 
a = 4 (mod 7) 

using the Chinese remainder theorem, we get a = 1 1 (mod 28). That is, we have computed log 2 18 in 



to be 11. 

The Index Calculus Method 
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The index calculus method for computing discrete logs bears considerable resemblence to many of the 
best factoring algorithms. We give a very brief overview in this section. The method uses a factor base, 

which, as before, is a set & of "small" primes. Suppose ^ * ' ' ' * } . The first step (a 

preprocessing step) is to find the logarithms of the B primes in the factor base. The second step is to 
compute a discrete log of a desired element (3, using the knowledge of the discrete logs of the elements 
in the factor base. 

In the precomputation, we construct C = B + 10 congruences modulo p, as follows: 

a x > =p^p2^ ,^pb**> (mod p), 

1 <j < C. Notice these congruences can be written equivalently as 

Xj ~ a u \og a pi + . . + a B} log & p B (mod p - l h 

1 < j < C. Given C congruences in the B "unknowns" log a £> ; . (1 <i<B), we hope that there is a unique 

solution modulo p - 1 . If this is the case, then we can compute the logarithms of the elements in the 
factor base. 

How do we generate congruences of the desired form? One elementary way is to take a random value x, 

compute a x mod p, and then determine if a x mod p has all its factors in $ (using trial division, for 
example). 
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Now, given that we have already successfully carried out the precomputation step, we compute a desired 
logarithm log^ (3 by means of a Las Vegas type probabilistic algorithm. Choose a random integer s (1 < s 

< p - 2) and compute 

7 = /?a ? mod p< 

Now attempt to factor y over the factor base If this can be done, then we obtain a congruence of the 
form 

0ot* = pi Cl p2 C2 . . Pb Cb (mod p). 

This can be written equivalently as 

k)g fi & + & = Ci log,, pi + . . . + & B log Q p B (mod 

Since everything is now known except log a P> we can easily solve for log a (3. 

Here is a small, very artificial, example to illustrate the two steps in the algorithm. 
Example 5.4 

Suppose p = 10007 and oc = 5 is the primitive element used as the base of logarithms modulo p. Suppose 
we take ^ ~ 5,7} as th e factor base. Of course log 5 5 = 1, so there are three logs of factor base 
elements to be determined. 

Some examples of "lucky" exponents that might be chosen are 4063, 5136 and 9865. 
With x = 4063, we compute 
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rood 10007 = 42 = 2 x 3 x 7, 

This yields the congruence 

log s 2 + log s 3 + log 5 7 = 4063 (mod 10006). 

Similarly, since 

5 6m mod 10007= 54 = 2 x 3 3 

and 

5 5fi6S mod 10007 = 189 = 3 3 x 7, 

we obtain two more congruences: 

log^ 2 + aiofe 3 = 5136 (mod 10006) 

and 

3 log & $ + log 5 7 = 9665 (mod 10006). 

We now have three congruences in three unknowns, and there happens to be a unique solution modulo 
10006, namely log 5 2 = 6578, log 5 3 = 6190 and log 5 7 = 1301. 

Now, let's suppose that we wish to find log 5 9451. Suppose we choose the "random" exponent s = 7736, 
and compute 

9451 x 5 773e mod 10007 = 8400. 

Since 8400 = 2"3 i 5"7 i factors over O , we obtain 



]og s 9451 = 4 lo^ 2 + lofii 3 + 2 5 + log^ 7 - s mod 100CIG 
= 4 * 657S+ + 2*1 + UiW - 7736 mod 1UUU6 
= 6057. 



To verify, we can check that 5 ouo ' = 9451 (mod 10007). 
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Heuristic analyses of various versions of the algorithm have been done. Under reasonable assumptions, 



an individual discrete phase log is \ /. 
5.1.2 Bit Security of Discrete Logs 

We now look at the question of partial information about discrete logs. In particular, we consider 
whether individual bits of a discrete logarithm are easy or hard to compute. To be precise, consider the 
problem presented in Figure 5.5, which we call the ith Bit problem. 



Figure 5.5 zth bit of discrete logarithm 

We will first show that computing the least significant bit of a discrete logarithm is easy. In other words, 
if i = 1, the zth Bit problem can be solved efficiently. This follows from Euler's criterion concerning 
quadratic residues modulo p, where p is prime. 

t - w g * _i 3? * 

Consider the mapping J - **v p defined by 



the asymptotic running time of the precomputation is 





2 mod p. 



Denote by QR(/?) the set of quadratic residues modulo p; then 



QR[p) = [x 2 mod p : x € 3£/ }. 



First, observe that/(x) =f(p - x). Next note that 



w = x (mod p) 



if and only if 



which happens if and only if 



w = ±x {mod p)* 
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It follows that 



ir l (!/)i = 2 



for every y g QR(p), and hence 



p-i 



2 



That is, exactly half the residues in are quadratic residues and half are not. 



7 a 

Now, suppose a is a primitive element of **P . Then oc g QR(p) if a is even. Since the (p - 1)12 elements 
a 0 mod p, a 2 mod p,..., a?' 3 mod p are all distinct, it follows that 



modp:0 < i < (jy-3)/2) 



Hence, (3 is a quadratic residue if and only if log^ (3 is even, that is, if and only it ^((3) = 0. But we 
already know, by Euler' s criterion, that (3 is a quadratic residue if and only if 



where t is odd. Then it can be shown that it is easy to compute L.($) if i < s. On the other hand, 
computing L ((3) is (probably) difficult, in the sense that any hypothetical algorithm (or oracle) to 
compute L^ +i ((3) could be used to find discrete logarithms in . 

We shall prove this result in the case s = 1 . More precisely, if p = 3 (mod 4) is prime, then we show how 
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So we have the following efficient formula to calculate L ((3): 




Let's now consider the computation of L.((3) for values of i exceeding 1. Suppose 



p- 1 = 2*t 



Cryptography: Theory and Practice:Other Public-key Cryptosystems 

any oracle for computing ^ 2 ((3) can be used to solve the Discrete Log problem in . 

Recall that, if J3 is a quadratic residue in and p = 3 (mod 4), then the two square roots of (3 modulo p 
are ± $ (P+l)IA mod p. It is also important that, for any |3 ^ 0, 

if p = 3 (mod 4). We see this as follows. Suppose 

a a = 0 (mod p); 

then 

Since = 3 (mod 4), the integer (p - 1)12 is odd, and the result follows. 
Now, suppose that |3 = oc a for some (unknown) even exponent a. Then either 

or 

~ (mod p). 

We can determine which of these two possibilities is correct if we know the value ((3), since 
This fact is exploited in our algorithm, which we present in Figure 5.6. 

At the end of the algorithm, the jc 's comprise the bits in the binary representation of log^ (3; that is, 
We will work out a small example to illustrate the algorithm. 
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F-1 



Figure 5.6 Computing discrete logs in for p = 3 (mod 4), given an oracle for ^ 2 ((3) 
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Example 5.5 

Suppose p = 19, oc = 2 and (3 = 6. Since the example is so small, we can tabulate the values of L J (y) and 

L (y) for all . (In general, L J can be computed efficiently using Euler' s criterion and is an 

oracle.) These values are given in Table 5.1. The algorithm now proceeds as shown in Figure 5.7. 

Hence, log 2 6 = 1 1 10 = 14, as can easily be verified. 

It is possible to give formal proof of the algorithm's correctness using mathematical induction. Denote 

t>0 



For i > 0, define 



Also, define (3 to be the value of (3 in step 2 of the algorithm; and, for i>l, define (3 to be the value of 

" i 

(3 in step 1 1 during the ith iteration of the while loop. It can be proved by induction that 

0i = a ZYi (mod p) 

Table 5.1 Values of L and L for p = 19, oc= 2 

1 2 r 



Y 




L 2 (y) 


Y 




L 2 (y) 


Y 




L 2 (y) 


1 


0 


0 


7 


0 


1 


13 


1 


0 


2 


1 


0 


8 


1 


1 


14 


1 


1 
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3 


1 


0 


9 


0 


0 


15 


1 


1 


4 


0 


1 


10 


1 


0 


16 


0 


0 


5 


0 


0 


11 


0 


0 


17 


0 


1 


6 


0 


1 


12 


1 


1 


18 


1 


0 



i. 




2. 






i = 1 


j. 


*i = Lift) = 1 


6. 


T = 5 


7. 




ID. 


$ = u 


1 i. 


0 = 7 


12. 


i = Z 


C 


m*. — S --■ i TV — 1 


*- 


ir=n 


7. 






JJ = * 


1 i. 


£ = 4 


12. 


1=3 














10. 


if = 2 


11. 


£=1 


12. 


1-4 


4, 


DOME 



Figure 5.7 Computation of log 6 in ^19 




Figure 5.8 The discrete logarithm problem in 
for all i > 0. Now, with the observation that 

it follows that 

i > 0. Since 

#0 = 
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the algorithm is correct. The details are left to the reader. 



5.2 Finite Field and Elliptic Curve Systems 



We have spent a considerable amount of time looking at the Discrete Logarithm problem and the 
factoring. We will see these two problems again and again, underlying various types of cryptosystems 
and cryptographic protocols. So far, we have considered the Discrete Logarithm problem in the finite 

field ^P, but it is also useful to consider the problem in other settings. This is the theme of this section. 

The ElGamal Cryptosystem can be implemented in any group where the Discrete Log problem is 

intractible. We used the multiplicative group P , but other groups are also suitable candidates. First, 
we phrase the Discrete Logarithm problem in a general (finite) group G, where we will denote the 
group operation by 0. This generalized version of the problem is presented in Figure 5.8. 

It is easy to define an ElGamal Cryptosystem in the subgroup H in a similar fashion as it was originally 
7 * 

described in . This is done in Figure 5.9. Note that encryption requires the use of a random integer k 
such that 0 < k < \H\ - 1 . However, if Alice does not know the order of the subgroup H, she can generate 
an integer k such that 0 < k < \G\ - I, and encryption and decryption will work without any changes. Also 
note that the group G need not be an abelian group (of course H is abelian since it is cyclic). 





Figure 5.9 Generalized ElGamal Public-key Cryptosystem 



Let's now turn to the "generalized" Discrete Log problem. The subgroup H generated by any oc e G is 
of course a cyclic group of order \H\. So any version of the problem is equivalent, in some sense, to the 
Discrete Log problem in a cyclic group. However, the difficulty of the Discrete Log problem seems to 
depend in an essential way on the representation of the group that is used. 

As an example to illustrate a representation where the problem is easy to solve, consider the additive 
cyclic group ^n, and suppose gcd(oc, n) = 1, so oc is a generato, of ^n. Since the group operation is 

a 

addition modulo n, an "exponentiation" operation, oc , corresponds to multiplication by a modulo n. 
Hence, in this setting, the Discrete Log problem is to find the integer a such that 

aa = 0 (mod n). 
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Since gcd(oc, n) = I, a has a multiplicative inverse modulo n, and we can compute oc" 1 mod n easily 
using the Euclidean algorithm. Then we can solve for a, obtaining 

log n = mod n. 
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We previously discussed the Discrete Log problem in the multiplicative group F , where p is prime. 

This group is a cyclic group of order p - 1, and hence it is isomorphic to the additive group P~X By 
the discussion above, we know how to compute discrete logs efficiently in this additive group. This 

suggests that we could solve the Discrete Log problem in by "reducing" the problem to the the 

easily solved formulation in P~ 1. 

Let us think about how this could be done. The statement that \ P ' / is isomorphic to 
means that there is a bijection 



such that 



It follows easily that 



<j>(xy mod p) = (<f>{x) + <P{y)) mod (p - 1) 



Ct a mod p) = a^(flf) mod (?}-!)> 



so we have that 



0 = a s (mod p) a^(a) = (mod p - 1). 

Hence, solving for a as described above, we have that 

= *(0)(*(a))-' mod (p - 1), 

Consequently, if we have an efficient method of computing the isomorphism <]), then we would have an 

W * 

efficient algorithm to compute discrete logs in P . The catch is that there is no known general method 
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to efficiently compute the isomorphism <j) for an arbitrary prime p. Even though we know the two groups 
in question are isomorphic, we do not know an efficient algorithm to explicitly describe the 
isomorphism. 

This method can be applied to the Discrete Log problem in any group G. If there is an efficient method 

of computing the isomorphism between H and then the discrete log problem in G described above 
can be solved efficiently. Conversely, it is not hard to see that an efficient method of computing discrete 
logs yields an efficient algorithm to compute the isomorphism between the two groups. 

This discussion has shown that the Discrete Log problem may be easy or (apparently) difficult, 
depending on the representation of the (cyclic) group that is used. So it may be useful to look at other 
groups in the hope of finding other settings where the Discrete Log problem seems to be intractible. 

Two such classes of groups are 

1. the multiplicative group of the Galois field GF(p n ) 

2. the group of an elliptic curve defined over a finite field. 

We will discuss these two classes of groups in the next subsections. 
5.2.1 Galois Fields 

We have already discussed the fact that P is a field if p is prime. However, there are other examples of 
finite fields not of this form. In fact, there is a finite field with q elements if q = p n where p is prime and 
n > 1 is an integer. We will now describe very briefly how to construct such a field. First, we need 
several definitions. 

DEFINITION 5.1 Suppose p is prime. Define to be the set of all polynomials in the 

indeterminate x. By defining addition and multiplication of polynomials in the usual way (and reducing 
coefficients modulo p), we construct a ring. 

For f( x )i9{%) € SpM, we sa y thatf(x) divides g(x) (notation: f(x) I g(x)) if there exists %( x ) € 
such that 

g{x) = q(x)f(x). 

For /(*) e ZM 

define deg(f), the degree off to be the highest exponent in a term off. 
Suppose f(x), g(x), ^C T ) e SplH and degif) = n>l.We define 
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= h(x) (mod /(%}) 

if 

fix) I (*(*) - 

Notice the resemblance of the definition of congruence of polynomials to that of congruence of integers. 

We are now going to define a ring of polynomials "modulo fix)" which we denote by 

The construction of from pI I is based on the idea of congruences modulo f(x) and is 

analogous to the construction of from 

Suppose deg(f) = n. If we divide g(x) byf(x), we obtain a (unique) quotient q(x) and remainder r(x), 
where 

and 

deg{r) < n. 

This can be done by usual long division of polynomials. Hence any polynomial in is congruent 

modulo f(x) to a unique polynomial of degree at most n - 1. 

Now we define the elements of v to be the p polynomials in ZpM of degree at most n - 1 . 

Addition and multiplication in ^j'MA/t 3 ')) is defined as in ^pM, followed by a reduction modulo/ 
(x). Equipped with these operations, is a ring. 

Recall that is a field if and only if m is prime, and multiplicative inverses can be found using the 

Euclidean algorithm. A similar situation holds for . The analog of primality for 

polynomials is irreducibility, which we define as follows: 

DEFINITION 5.2 A polynomial fi x ) ^ ^pM is said to be irreducible if there do not exist 
polynomials /it 1 )*/^ 1 ) ^ ^pfcl such that 
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/(*) = M*)A(«). 

where degif^) > 0 and deg (/* ) > 0. 

A very important fact is that is a field if and only if fix) is irreducible. Further, 

multiplicative inverses in can be computed using a straightforward modification of the 

(extended) Euclidean algorithm. 

Here is an example to illustrate the concepts described above. 
Example 5.6 

Let's attempt to construct a field having eight elements. This can be done by finding an irreducible 

polynomial of degree three in ^st*l. It is sufficient to consider the polynomials having constant term 
equal to 1, since any polynomial with constant term 0 is divisible by x and hence is reducible. There are 
four such polynomials: 

= a 3 +1 

h(x) = I 3 + X + 1 

/afar) = s 3 4- % 2 + 1 
U(x) = x* + x 2 + % + h 



Now,/ (jc) is reducible, since 



x 3 + I = (x+ l){x 2 +x+ I) 



(remember that all coefficients are to be reduced modulo 2). Also,/ 4 is reducible since 

i 3 + x 2 + x + 1 = {x + l)(z 2 + 1). 

However, / 2 (x) and/ 3 (x) are both irreducible, and either one can be used to construct a field having eight 
elements. 

Let us use/ (jc), and thus construct the field . The eight field elements are the eight 

polynomials 0, 1 '+1,jc +xandx +jc+1. 
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To compute a product of two field elements, we multiple the two polynomials together, and reduce 

3 3 

modulo x + x + 1 (i.e., divide by x + x + 1 and find the remainder polynomial). Since we are dividing 
by a polynomial of degree three, the remainder will have degree at most two and hence is an element of 
the field. 
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For example, to compute (x 2 + l)(x 2 + x + 1) in ^M/f 1 + 1 + -0, we first compute the product in 
which is x 4 + x 3 + x + 1. Then we divide by x 3 + x + 1, obtaining the expression 

X 1 +ff 3 +S+ 1 = (x + \){X 3 +X+l)+3? +1. 

Hence, in the field ZaMA* 3 + x + we have that 

(z* + l){x 2 + x + 1) = x 2 + x. 

Below, we present a complete multiplication table for the non-zero field elements. To save space, we 
write a polynomial a^c + x + a Q as the ordered triple <z . 





001 


010 


011 


100 


101 


110 


III 


001 


001 


010 


011 


100 


101 


110 


111 


010 


010 


100 


110 


011 


001 


111 


101 


011 


Oil 


110 


101 


111 


100 


001 


010 


100 


100 


011 


111 


110 


010 


101 


001 


101 


101 


001 


100 


010 


111 


011 


110 


110 


110 


111 


001 


101 


011 


010 


100 


111 


111 


101 


010 


001 


110 


100 


011 



Computation of inverses can be done by using a straightforward adaptation of the extended Euclidean 
algorithm. 

Finally, the multiplicative group of the non-zero polynomials in the field is a cyclic group of order 
seven. Since 7 is prime, it follows that any non-zero field element is a generator of this group, i.e., a 
primitive element of the field. 

For example, if we compute the powers of x, we obtain 
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I 1 =1 

9 4 = V? +X 
I* = T 1 + ] 



which comprise all the non-zero field elements. 

It remains to discuss existence and uniqueness of fields of this type. It can be shown that there is at least 

one irreducible polynomial of any given degree n > 1 in ^pf^l. Hence, there is a finite field with p n 
elements for all primes p and all integers n > 1 . There are usually many irreducible polynomials of 

degree n in ^pE 1 ]. But the finite fields constructed from any two irreducible polynomials of degree n 

can be shown to be isomorphic. Thus there is a unique finite field of any size p n (p prime, n > 1), which 

is denoted by GY{p n ). In the case n = 1, the resulting field G¥(p) is the same thing as ^P. Finally, it can 

be shown that there does not exist a finite field with r elements unless r = p n for some prime p and some 
integer n > 1 . 

7 * 

We have already noted that the multiplicative group p (p prime) is a cyclic group of order p - 1 . In 

fact, the multiplicative group of any finite field is cyclic: GF(//)\{0} is a cyclic group of order p n - 1. 
This provides further examples of cyclic groups in which the discrete log problem can be studied. 

In practice, the finite fields GF(2") have been most studied. Both the Shanks and Pohlig-Hellman 

discrete logarithm algorithms work for fields GF(2"). The index calculus method can be modified to 
work in these fields. The precomputation time of the index calculus algorithm turns out to be 



However, for large values of n (say n > 800), the discrete log problem in GF(2 ) is thought to be 




and the time to find an individual discrete log is 
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intractible provided 2" - 1 has at least one "large" prime factor (in order to thwart a Pohlig-Hellman 
attack). 

5.2.2 Elliptic Curves 

We begin by defining the concept of an elliptic curve. 

2 3 *Mj 

DEFINITION 5.3 Let p>3 be prime. The elliptic curve y = x + ax + b over P, is the set of solutions 
(i, y) e Zp x Sp to tne congmence 

= + am + b (mod p). (M) 

fi (~ *M 3 2 

where a"^ p are constants such that 4a + 21b ^ 0 (mod p), together with a special point O called 

l 

the point at infinity. 



Equation 5.1 can be used to define an elliptic curve over any field GF(p n ), for/? > 3 prime. An 
elliptic curve over GF(2") or GF(3") is defined by a slightly different equation. 



An elliptic curve E can be made into an abelian group by defining a suitable operation on its points. The 
operation is written additively, and is defined as follows (where all arithmetic operations are performed 

in ^P: Suppose 
and 

Q - fe^?) 

are points on E. If x^ = x^ and y 2 = -y^ then + Q ~ ^ ; otherwise P + Q = (x^, y ), where 

X3 — A 2 — X\ - X2 
3/3 - K x l ~ x &) ~VU 

and 
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¥2 yi , LfP/Q 

— X\ 



Finally, define 

P + C? = O + P = P 

for all P e E. With this definition of addition, it can be shown that E is an abelian group with identity 

element (most of the verifications are tedious but straightforward, but proving associativity is quite 
difficult). 

Note that inverses are very easy to compute. The inverse of (x, y) (which we write as -(x, y) since the 
group operation is additive) is (x, -y), for all (x, y) e E. 

Let us look at a small example. 

Example 5. 7 

Let E be the elliptic curve y 2 = x 3 + x + 6 over ^11. Let's first determine the points on E. This can be 
done by looking at each possible % ^ ^1 1 , computing x 3 + x + 6 mod 1 1, and then trying to solve 

Equation 5.1 for y. For a given x we can test to see if z = x + x + 6 mod 1 1 is a quadratic residue by 
applying Euler's criterion. Recall that there is an explicit formula to compute square roots of quadratic 
residues modulo p for primes p = 3 (mod 4). Applying this formula, we have that the square roots of a 
quadratic residue z are 

The results of these computations are tabulated in Table 5.2. 
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Thus E has 13 points on it. Since any group of prime order is cyclic, it follows that E is isomorphic to 

^13, and any point other than the point at infinity is a generator of E. Suppose we take the generator oc 
= (2, 7). Then we can compute the 



Table 5.2Points on the elliptic curve y 2 = x 3 + x+ 6 over ^11 



X 


x +x+6 mod 1 1 


in QR(ll)? 


y 


0 


6 


no 




1 


8 


no 




2 


5 


yes 


4,7 


3 


3 


yes 


5,6 


4 


8 


no 


2,9 




5 


4 


yes 


6 


8 


no 


2,9 


7 


4 


yes 


3,8 


8 


9 


yes 


9 


7 


no 


2,9 


10 


4 


yes 





"powers" of oc (which we will write as multiples of oc, since the group operation is additive). To compute 
2a = (2, 7) + (2, 7), we first compute 

A = (3 x 2* + 1)(2 x 7)~ l mod 11 
= 2 x 3" 1 mod 11 
= 2x4 mod 11 

= 8. 

Then we have 
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xg = fi 2 — 2 — 2 mod 11 
= 5 



and 

y 3 = 8(2- 5) - 7 mod 11 

so 2a (5, 2). 

The next multiple would be 3a = 2a + oc = (5, 2) + (2, 7). Again, we begin by computing X, which in 
this situation is done as follows: 



Then we have 



and 



A-(7-2K2-5)"' mod 11 
= 5 xS _1 mod 1] 
= Sx 7 mod 1 1 

= 2. 



i 3 = 2 2 - 5-2mod 11 
= 8 



I/ 3 - 2(5-8) -2 mod 11 

so 3a = (8, 3). 

Continuing in this fashion, the remaining multiples can be computed to be the following: 



a = (2,7) 

4a = (10,2) 

7a = (7,2) 

10oc = (8,8) 



2a = (5,2) 

5oc = (3,6) 

8oc = (3,5) 

11a = (5,9) 



3a = (8,3) 

6a = (7,9) 

9a = (10,9) 

12a = (2,4) 
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Hence oc = (2.7) is indeed a primitive element. 



An elliptic curve E defined over (p prime, p > 3) will have roughly p points on it. More precisely, a 
well-known theorem due to Hasse asserts that the number of points on E, which we denote by #E, 
satisfies the following inequality 

p + 1 - 2y/p < < p+ I +%yfp. 

Computing the exact value of #E is more difficult, but there is an efficient algorithm to do this, due to 
Schoof. (By "efficient" we mean that it has a running time that is polynomial in log p. School's 

algorithm has a running time of 0((log p) ) bit operations and is practical for primes p having several 
hundred digits.) 

Now, given that we can compute #E, we further want to find a cyclic subgroup of E in which the 
discrete log problem is intractible. So we would like to know something about the structure of the group 
E. The following theorem gives a considerable amount of information on the group structure of E. 

THEOREM 5.1 

Let E be an elliptic curve defined over where p is prime, p > 3. Then there exist integers nl and n2 
such that E is isomorphic to ^ ^fia. Further, n^ I n and \ (p - 1). 

Hence, if the integers n and can be computed, then we know that E has a cyclic subgroup isomorphic 
to that can potentially be used as a setting tot an ElGamal Cryptosystem. 

Note that if n = 1, then E is a cyclic group. Also, if #E is a prime, or the product of distinct primes, then 
E must be a cyclic group. 



The Shanks and Pohlig-Hellman algorithms apply to the elliptic curve logarithm problem, but there is no 
known adaptation of the index calculus method to elliptic curves. However, there is a method of 
exploiting an explicit isomorphism between elliptic curves and finite fields that leads to efficient 
algorithms for certain classes of elliptic curves. This technique, due to Menezes, Okamoto and 
Vanstone, can be applied to some particular examples within a special class of elliptic curves called 
supersingular curves that were suggested for use in cryptosystems. If the supersingular curves are 

avoided, however, then it appears that an elliptic curve having a cyclic subgroup of size about 2 160 will 
provide a secure setting for a cryptosystem, provided that the order of the subgroup is divisible by at 
least one large prime factor (again, to guard against a Pohlig-Hellman attack). 



Let's now look at an example of ElGamal encryption using the elliptic curve of Example 5.7. 
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Example 5.8 

Suppose that oc = (2, 7) and Bob's secret "exponent" is a = 7, so 

0 = 7a = (7,2). 

Thus the encryption operaton is 

where ig£ and 0 < k < 12, and the decryption operation is 

Suppose that Alice wishes to encrypt the message x = (10, 9) (which is a point on E). If she chooses the 
random value k = 3, then she will compute 

pi == 3(2 1 7) 
= (8,3) 

and 

[fc = (10, 9) + 3(7, 2) 
= (10,2). 

Hence, y = ((8, 3), (10, 2)). Now, if Bob receives the ciphertext y, he decrypts it as follows: 

x = (10,2) -7(8, J) 

= (10,2) -CM) 
= {10,2)+(3 s e) 
= (10,9) 

Hence, the decryption yields the correct plaintext. 

There are some practical difficulties in implementing an ElGamal Cryptosystem on an elliptic curve. 
This system, when implemented in (or in GF(p n ) with n > 1) has a message expansion factor of two. 
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An elliptic curve implementation has a message expansion factor of (about) four. This happens since 
there are approximately p plaintexts, but each ciphertext consists of four field elements. A more serious 
problem is that the plaintext space consists of the points on the curve E, and there is no convenient 
method known of deterministically generating points on E. 
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A more efficient variation has been found by Menezes and Vanstone. In this variation, the elliptic curve 
is used for "masking," and plaintexts and ciphertexts are allowed to be arbitrary ordered pairs of 
(nonzero) field elements (i.e., they are not required to be points on E). This yields a message expansion 
factor of two, the same as in the original ElGamal Cryptosystem. The Menezes-Vanstone 
Cryptosystem is presented in Figure 5.10. 

2 3 

If we return to the curve y = x + x + 6 over **1 1, we see that the Menezes-Vanstone Cryptosystem 

allows 10 x 10 = 100 plaintexts, as compared to 13 in the original system. We illustrate encryption and 
decryption in this system using this same curve. 

Example 5.9 

As in the previous example, suppose that oc = (2, 7) and Bob's secret "exponent" is a = 7, so 

0 = 7a =(7,2). 

Suppose Alice wants to encrypt the plaintext 

£ = (x u x 2 ) = (9,1) 

(note that x is not a point on E), and she chooses the random value k = 6. First, she computes 

jto = fca = 6(2,7) = (7,9) 

and 

fc0 = 6(7,2) = (8,3), 

so c = 8 and c =3. 

1 2 
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Next, she calculates 



yi = C\X\ mod p = S x 9 mod 11 = 6 



and 



U2 = C2X2 mod p — 3 x 1 mod 11 — 3, 



LB H I l| 1 ■ Jp 1 *.JmI.'.V, 111 I 

-*—<•« P i^Hi-j*H'i-I-pp"H. 



Figure 5.10 Menezes-Vanstone Elliptic Curve Cryptosystem 



The ciphertext she sends to Bob is 



a = (yo,yi>V2) = ((7,9) T e,3). 



When Bob receives the ciphertext y, he first computes 



(ci ) c 2 ) = a^ = 7(7 1 9) = ($,3} 1 



and then 



x — {y x a 1 mod P)^aC2 1 mend p) 
= (6x8 _1 mod 11,3 x 3"* mod 11) 
= (6 x 7 mod 11,3x4 mod il) 



Figure 5.11 Subset summ problem 



Hence, the decryption yields thee correct plaintext. 
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5.3 The Merkle-Hellman Knapsack System 

The well-known Merkle-Hellman Knapsack Cryptosytem was first described by Merkle and Hellman 
in 1978. Although this cryptosystem, and several variants of it, were broken in the early 1980's, it is still 
worth studying for its conceptual elegance and for the underlying design technique. 

2 

The term "knapsack" is actually a misnomer .; the system is based on the Subset Sum problem which is 
presented in Figure 5.11. 



2 

The Knapsack problem, as it is usually defined, is a problem involving selecting objects with 
given weights and profits in such a way that a specified capacity is not exceeded and a specified 
target profit is attained 



The Subset Sum problem, as phrased in Figure 5. 1 1, is a decision problem (i.e., we are required only to 
answer "yes" or "no"). If we rephrase the problem slightly, so that in any instance where the answer is 
"yes" we are required to find the desired vector x (which may not be unique), then we have a search 
problem. 




Figure 5.12 Algorithm for solving a superincreasing instance of the subset sum problem 

The Subset Sum (decision) problem is one of the so-called NP-complete problems. Among other things, 
this means that there is no known polynomial-time algorithm that solves it. This is also the case for the 
Subset Sum search problem. But even if a problem has no polynomial-time algorithm to solve it in 
general, this does not rule out the possibility that certain special cases can be solved in polynomial time. 
This is indeed the situation with the Subset Sum problem. 

We define a list of sizes, (s . . . . , s ) to be superincreasing if 

1 n 

J-i 

i= i 

for 2 <j < n. If the list of sizes is superincreasing, then the search version of the Subset Sum problem 
can be solved very easily in time 0(n), and a solution x (if it exists) must be unique. The algorithm to do 
this is presented in Figure 5.12. 
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Suppose s = (Sj, . . . , s) is superincreasing, and consider the function 

ft :{(M}*-» jo £>J 

defined by the rule 

Is e ^ a possible candidate for an encryption rule? Since s is superincreasing, e $ is an injection, and the 

algorithm presented in Figure 5.12 would be the corresponding decryption algorithm. However, such a 
system would be completely insecure since anyone (including Oscar) can decrypt a message that is 
encrypted in this way. 

The strategy therefore is to transform the list of sizes in such a way that it is no longer superincreasing. 
Bob will be able to apply an inverse transformation to restore the superincreasing list of sizes. On the 
other hand Oscar, who does not know the transformation that was applied, is faced with what looks like 
a general, apparently difficult, instance of the subset sum problem when he tries to decrypt a ciphertext. 

One suitable type of transformation is a modular transformation. That is, a prime modulus p is chosen 
such that 

rt 
w — ^ 

P> Z^tu 
.=1 

as well as a multiplier a, where 1 < a < p - 1 . Then we define 

U = a$i mod p T 

1 < i < n. The list of sizes t = (^,...,7 ) will be the public key used for encryption. The values a, p used to 

define the modular transformation are secret. The complete description of the Merkle-Hellman 
Knapsack Cryptosystem is given in Figure 5.13. 

The following small example illustrates the encryption and decryption operations in the Merkle- 
Hellman Cryptosystem. 

Example 5.10 
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Suppose 

s = (2, 5,9, 21, 45, 103, 215, 450, 946) 

is the secret superincreasing list of sizes. Suppose p = 2003 and a = 1289. Then the public list of sizes is 

t - (575,436, 1586, 1030, 1921,569,721, 1183, 1570). 

Now, if Alice wants to encrypt the plaintext x = (1, 0, 1, 1, 0, 0, 1, 1, 1), she computes 

y = 575+ 1586+ 1030 + 721 + 1183+ 1570 = 6665. 

When Bob receives the ciphertext y, he first computes 

£ — a~ l y mod p 
= 317 x 6665 mad 2003 
- 1643. 

Then Bob solves the instance / = (s, z) of the Subset Sum problem using the algorithm presented in 
Figure 5.12. The plaintext (1, 0, 1, 1, 0, 0, 1, 1, 1) is obtained. 



.... 
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Figure 5.13 Merkle-Hellman Knapsack Cryptosystem 

By the early 1980's, the Merkle-Hellman Knapsack Cryptosystem had been broken by Shamir. 
Shamir was able to use an integer programming algorithm of Lenstra to break the system. This allows 
Bob's trapdoor (or an equivalent trapdoor) to be discovered by Oscar, the cryptanalyst. Then Oscar can 
decrypt messages exactly as Bob does. 
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5.4 The McEliece System 

The McEliece Cryptosystem uses the same design principle as the MerkleHellman Cryptosystem: 

decryption is an easy special case of an NP-complete problem, disguised so that it looks like a general 
instance of the problem. In this system, the NP-complete problem that is employed is decoding a general 
linear (binary) error-correcting code. However, for many special classes of codes, polynomial-time 
algorithms are known to exist. One such class of codes, the Goppa codes, are used as the basis of the 
McEliece Cryptosystem. 

We begin with some essential definitions. 

DEFINITION 5.4 Let k, n be positive integers, k<n. An [n, k] code, C, is a k-dimensional subspace of 
2} , the vector space of all binary n-tuples. 

A generating matrix for an [n, k] code, C, is a k x n binary matrix whose rows form a basis for C. 
v € (Z 2 } n 

Let x, J , where x = (x^ . . . , xj andy = (y l , . . . , y ). Define the Hamming distance 

<*{x,y) = \{i'l<i< UyXi £yi}l 

i.e., the number of coordinates in which x and y differ. 

Let C be an [n, k] code. Define the distance ofC to be the quantity 

d(C) - min{<f(x,y) : x,y e C,x^ y}. 

An [n, k] code with distance d is denoted as an [n, k, d\ code. 

The purpose of an error-correcting code is to correct random errors that occur in the transmission of 
(binary) data through a noisy channel. Briefly, this is done as follows. Let G be a generating matrix for 
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an [n, k, d] code. Suppose x is the binary fc-tuple we wish to transmit. Then Alice encodes x as the n- 
tuple y = xG, and transmits y through the channel. 

Now, suppose Bob receives the «-tuple r, which may not be the same as y. He will decode r using the 
strategy of nearest neighbor decoding. In nearest neighbor decoding, Bob finds the codeword y' that has 
minimum distance to r. Then he decodes r to y', and, finally, determines the fc-tuple x' such that y' = x' 
G. Bob is hoping that y' = y, so x' = x (i.e., he is hoping that any transmission errors have been 
corrected). 

It is fairly easy to show that if at most (d - 1)12 errors occurred during transmission, then nearest 
neighbor decoding does in fact correct all the errors. 

k 

Let us think about how nearest neighbor decoding would be done in practice. ICI = 2 , so if Bob 

k 

compares r to every codeword, he will have to examine 2 vectors, which is an exponentially large 
number compared to k. In other words, this obvious algorithm is not a polynomial-time algorithm. 

Another approach, which forms the basis for many practical decoding algorithms, is based on the idea of 
a syndrome. A parity-check matrix for an [n, k, d] code C having generating matrix G is an (n - k) x n 0 - 
1 matrix, denoted by H, whose rows form a basis for the orthogonal complement of C, which is denoted 
by C_L and called the dual code to C. Stated another way, the rows of H are linearly independent 
vectors, and GH is a k x (n - k) matrix of zeroes. 

Given a vector r , we define the syndrome of r to be Hr .A syndrome is a column vector with 

n - k components. 

The following basic results follow immediately from linear algebra. 
THEOREM 5.2 

Suppose C is an [n, k] code with generating matrix G and parity-check matrix H. Then x is a 

codeword if and only if 

/°\ 

0 



Further; ,jt £ Ce£ (4) R an ^ r - x + e , then Hr T = He 
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Think of e as being the vector of errors that occur during transmission of a codeword x. Then r 
represents the vector that is received. The above theorem is saying that the syndrome depends only on 
the errors, and not on the particular codeword that was transmitted. 

This suggests the following approach to decoding, known as syndrome decoding: First, compute s = 

Hr . If s is a vector of zeroes, then decode r as r. If not, then generate all possible error vectors or 

weight 1 in turn. For each such e, compute He T . If, for any of these vectors e, it happens that He T = s, 
then decode r to r - e. Otherwise, continue on to generate all error vectors of weight 2, . . . , »(d - l)/2». If 

at any time He T = s, then we decode r to r - e and quit. If this equation is never satisfied, then we 
conclude that more than »(d - l)/2» errors have occurred during transmission. 

By this approach, we can decode a received vector in at most 

1+ (l) + - + (l( d -"l)/2j) 

steps. 

This method will work on any linear code. For certain specific types of codes, the decoding procedure 
can be speeded up. However, a decision version of nearest neighbor decoding is in fact an NP-complete 
problem. Thus no polynomial-time algorithm is known for the general problem of nearest neighbor 
decoding (when the number of errors is not bounded by *{d - l)/2"). 

As was the case with the subset sum problem, we can identify an "easy" special case, and then disguise 
it so that it looks like a "difficult" general case of the problem. It would take us too long to go into the 
theory here, so we will just summarize the results. The "easy" special case that was suggested by 
McEliece is to use a code from a class of codes known as the Goppa codes. These codes do in fact have 
efficient decoding algorithms. Also, they are easy to generate, and there are a large number of 
inequivalent Goppa codes with the same parameters. 
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The parameters of the Goppa codes have the form n = 2 ,d=2t+l and k = n - mt. For a practical 
implementation of the public-key cry ptosy stem, McEliece suggested taking m = 10 and t = 50. This 
gives rise to a Goppa code that is a [1024, 524, 101] code. Each plaintext is a binary 524-tuple, and each 
ciphertext is a binary 1024-tuple. The public key is a 524 x 1024 binary matrix. 




Figure 5.14 McEliece Cryptosystem 

A description of the McEliece Cryptosystem is given in Figure 5.14. 

We present a ridiculously small example to illustrate the encoding and decoding procedures. 

Example 5.11 

The matrix 

/ 1 0 0 0 1 1 0 \ 

0 10 0 10 1 

0010011 
y 0 0 0 1 1 1 1 / 

is a generating matrix for a [7, 4, 3] code, known as a Hamming code. Suppose Bob chooses the matrices 
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5 = 



/ 1 1 0 1 \ 
10 0 1 
0 111 
\ 1 1 0 0 / 



and 



0 


1 


0 


0 


0 


0 


0 \ 
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0 


0 


1 


0 


0 


0 


0 
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0 


0 


0 


0 


1 


0 


0 


0 


0 


0 


1 


0 





Then, the public generating matrix is 



(7 = 



1 


1 


1 


1 


0 


0 


0 \ 


1 


1 


0 


0 


1 


0 


0 


1 


0 


0 


1 


1 


0 


1 


0 


1 


0 


1 


1 


1 


o) 



Now, suppose Alice encrypts the plaintext x = (1, 1,0, 1) using as the random error vector of weight 1 
the vector e = (0, 0, 0, 0, 1, 0, 0). The ciphertext is computed to be 



y = 



= (1,1.0,1) 



xG 1 + e 

/l 1 1 10D0\ 
1100 100 
10 01101 

\o i oi 1 1 oy 

= (0,1, 1,0, 0,1,0) +[0,0,0, 0,1, 0,0) 
= (0,1,1,0,1,1,0). 



+ (0,0, 0,0,1,0,0) 



When Bob receives the ciphertext y, he first computes 
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-i 



= (0,1,1,0,1,1,0) 



/000 1 00 0\ 
10 0 0 0 0 0 
0000 10 0 
0 10000 0 
000000 1 
00000 10 

Vooioooo/ 



= (1,0,0,0,1,1,1). 



Next, he decrypts y to get x = (1, 0, 0, 0, 1, 1,0) (note that ^ e due to the multiplication by P' 1 ). 
Next, Bob forms x Q = (1, 0, 0, 0) (the first four components of x^. 
Finally, Bob calculates 



x = 



s- 1 



fl 10 I\ 
1 100 
0 111 
\IM1J 

= (IpIpO. 1) 



(l,0 h 0 h 0) 



This is indeed the plaintext that Alice encrypted. 



5.5 Notes and References 



The ElGamal Cryptosystem was presented in [EL85]. The Pohlig-Hellman algorithm was published in 
[PH78], and the material concerning individual bits of the Discrete Logarithm problem is based on 
Peralta [PE86] . For further information on the Discrete Logarithm problem, we recommend the articles 
by LaMacchia and Odlyzko [L091] and McCurley [MC90]. 



The main reference book for finite fields is Lidl and Niederreiter [LN83]. McEliece [MC87] is a good 
textbook on the subject, and a research monograph on applications of finite fields was published by 

Menezes et al. [MBGMVY93]. A recent article on the Discrete Logarithm problem in GF(2") is 
Gordon and McCurley [GM93]. 



The idea of using elliptic curves for public-key cryptosystems is due to Koblitz [K087] and Miller 
[Ml86]. Menezes [ME93] is a monograph on elliptic curve cryptosystems. See also Menezes and 
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Vanstone [MV93] and Koblitz [K094]. For an elementary treatment of elliptic curves, see Silverman 
and Tate [ST92]. The Menezes-Okamoto-Vanstone reduction of discrete logarithms from elliptic curves 
to finite fields is given in [MOV94] (see also [ME93]). 

The Merkle-Hellman Cryptosystem was presented in [MH78]. This system was broken by Shamir 
[SH84], and the "iterated" version of the system was broken by Brickell [BR85]. A different knapsack- 
type system, due to Chor and Rivest [CR88], has not been broken. For more information, see the survey 
article by Brickell and Odlyzko [B092]. 

The most important reference book for coding theory is Mac Williams and Sloane [MS77] There are 
many good textbooks on coding theory, e.g., Hoffman et al. [HLLPRW91] and Vanstone and van 
Oorschot [VV89]. The McEliece Cryptosystem was first described in [MC78]. A recent article 
discussing the security of this cryptosystem is by Chabaud [CH95]. 

Exercises 

5.1 Implement Shanks' algorithm for finding discrete logarithms in m *9, where p is prime and oc 



is a primitive element. Use your program to find log 106 12375 in ft* 246*1 and log 6 248388 in 

5.2 Implement the Pohlig-Hellman algorithm for finding discrete logarithms in where p is 
prime and a is a primitive element. Use your program to find log 5 8563 in ^28703 and log 1Q 

12611 in 1153. 

5.3 Find log 5 896 in 103 using the algorithm presented in Figure 5.6, given that L^$) = 1 for 
(3 = 25, 219 and 841, and L 2 ((3) = 0 for (3 = 163, 532, 625 and 656. 

5.4 Decrypt the ElGamal ciphertext presented in Table 5.3. The parameters of the system arc p 

= 31847, oc = 5, a = 7899 and (3 = 18074. Each element of Z^n represents three alphabetic 
characters as in Exercise 4.6. 

The plaintext was taken from "The English Patient," by Michael Ondaatje, Alfred A. Knopf, Inc., 
New York, 1992. 

5.5 Determine which of the following polynomials are irreducible over 

5.6 The field GF(2 5 ) can be constructed as ^[x)/(2r 5 -f-x* + 1) Per f orm me following 
computations in this field. 

4 2 3 

(a) Compute (x + x ) x (x + x + 1). 

3 2 1 

(b) Using the extended Euclidean algorithm, compute (x + x )' 
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(c) Using the square-and-multiply algorithm, compute x . 

5.7 We give an example of the ElGamal Cryptosystem implemented in GF(3 3 ). The 
polynomial x 3 +2x 2 +l is irreducible over and hence Zs +0 is the field GF 

(3 ). We can associate the 26 letters of the alphabet with the 26 nonzero field elements, and thus 
encrypt ordinary text in a convenient way. We will use a lexicographic ordering of the (nonzero) 
polynomials to set up the correspondence. This correspondence is as follows: 
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S 


++ 


2x* + 1 


T 


++ 


2a; 2 + 2 




*+ 


2x 2 + x 


V 


■H 


2x 5 + x + 1 


W 




2x 2 + x + 2 


X 


<+ 


2x* + 2x 


Y 


+► 


2x J + 2ar + 1 


z 




2i= + 2a; + 2 









Suppose Bob uses oc = x and a= 1 1 in an ElGamal system; then (3 = jc + 2. Show how Bob will 
decrypt the following string of ciphertext: 

(K, H) (P X) (N, K) (H,R) (T,F) (V, Y) (E, H) (F, A) (T, W) (J, 
D) (U, J) 



Table 5.3ElGamal Ciphertext 



(3781, 14409) 


(31552, 3930) 


(27214, 15442) 


(5809, 30274) 


(54000, 31486) 


(19936, 721) 


(27765, 29284) 


(29820, 7710) 


(31590, 26470) 


(3781, 14409) 


(15898, 30844) 


(19048, 12914) 


(16160, 3129) 


(301, 17252) 


(24689, 7776) 


(28856, 15720) 


(30555, 24611) 


(20501,2922) 


(13659, 5015) 


(5740,31233) 


(1616, 14170) 


(4294, 2307) 


(2320, 29174) 


(3036, 20132) 


(14130, 22010) 


(25910, 19663) 


(19557, 10145) 


(18899, 27609) 


(26004, 25056) 


(5400, 31486) 


(9526, 3019) 


(12962, 15189) 


(29538, 5408) 


(3149, 7400) 


(9396, 3058) 


(27149, 20535) 


(1777, 8737) 


(26117, 14251) 


(7129, 18195) 


(25302, 10248) 


(23258, 3468) 


(26052, 20545) 


(21958, 5713) 


(346, 31194) 


(8836, 25898) 


(8794, 17358) 


(1777, 8737) 


(25038, 12483) 
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(10422 5552) 


(1777 8737) 

\ x / / / 5 w / +y 1 1 


(3780 16360) 


(11685 133) 

\ 1 1 \j kj 1 a. +y +y t 


(25115 10840) 


(14130 22010) 


(16081 16414) 


(28580 20845) 


(23418 22058) 


(24139 9580) 


(173 17075) 


(2016 18131) 


(198886 22344) 


(21600 25505) 


(27119 19921) 


(23312 16906) 


(21563 7891) 


(28250 21321) 


(28327 19237) 

\ 4-j\J *J ^ 1 •, 1- y 4^^J / l 


(15313 28649) 


(24271 8480) 


(26592 25457) 


(9660 7939) 


(10267 20623) 

\ i \j4^\j 1 ^ j^yjyjj^^j 1 


(30499 14423) 

l Vy r y y ^ i I \ ^ *y i 


(5839 24179) 


(12846 6598) 


(9284 27858) 


(24875 17641) 


(1111 8737) 


(18825 19671) 


(31306 11929) 


(3576 4630) 


(26664 27572) 


(27011 29164) 


(22763 8992) 


(3149 7400) 


(8951 29435) 


(2059 3977) 


(16258 30341) 


(21541 19004) 


(5865 29526) 


(10536 6941) 


(1777 8737) 


(17561 11884) 


(2209 6107) 


(10422 5552) 

\ 1 V/T^a^^^ *y *y *y 1 


(19371 21005) 


(ZoDZl, jouj ) 


(14554, 14Z5UJ 


(4oZ5, 50J J j 


(Z5ZDU, Zl JZl j 


(28327, 19237) 


(15313,28649) 







2 3 i? 

5.8 Let £" be the elliptic curve y =x + x + 28 defined over "f 1. 

(a) Determine the number of points on 

(b) Show that E is not a cyclic group. 

(c) What is the maximum order of an element in El Find an element having this order. 

5.9 Let E be the elliptic curve y 2 = x 3 + x + 13 defined over . It can be shown that #E = 34 
and (9, 10) is an element of order 34 in E. The Menezes-Vanstone Cryptosystem defined on E 

will have as its plaintext space ^3 J H . Suppose Bob's secret exponent is a = 25. 

(a) Compute (3 = aa. 

(b) Decrypt the following string of ciphertext: 

((4, 9), 28, 7), ((19, 28), 9, 13), ((5,22), 20, 17), ((25, 16), 12, 27). 

(c) Assuming that each plaintext represents two alphabetic characters, convert the 
plaintext into an English word. (Here we will use the correspondence A 1 , . . . , Z 
26, since 0 is not allowed in a (plaintext) ordered pair.) 

5.10 Suppose the Merkle-Hellman Cryptosystem has as its public list of sizes the vector 

t = (1394, 1256, 150$, 1987, 439, 650, 724, 330, 2303, 810), 

Suppose Oscar discovers that p = 2503. 
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(a) By trial and error, determine the value a such that the list a' t mod p is a permutation 
of a superincreasing list. 

(b) Show how the ciphertext 5746 would be decrypted. 

5.11 It can be shown that the matrix H shown below is a parity-check matrix for a [15, 7, 5] code 
called a BCH code. 



1 


0 


0 


0 


I 


0 


c 


1 


1 


0 


1 


0 


1 


1 


1 \ 


0 


1 


0 


0 


I 


I 


0 


1 


0 


1 


1 


1 


1 


0 


0 


0 


0 


i 


0 


fi 


} 


1 


0 


1 


0 


1 


1 


1 


I 


0 


0 


0 


0 


1 


0 


0 


1 


1 


CI 


1 


0 
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1 


1 


1 
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0 


0 


0 


1 


1 


0 


0 


0 


1 


1 


n 


0 


0 


1 


0 


0 


0 


] 


1 


0 


0 


0 


1 


1 


0 


n 


0 


1 


1 


fl 


0 


1 


0 


1 


0 


0 


1 


[) 


1 


0 


0 


1 


0 




0 


1 


1 


1 


1 


0 


1 


] 


1 


1 


0 


1 


1 


1 


: 



Decode, it possible, each of the following received vectors r using the syndrome decoding 
method. 



(a) r = (1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0). 

(b) r = (l, 1,0, 1, 1, 1, 1,0, 1,0, 1, 1,0, 0, 0). 

(c) r = (l,0, 1,0, 1,0, 0, 1,0, 1, 1,0, 0, 0, 0). 
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Chapter 6 

Signature Schemes 

6.1 Introduction 

In this chapter, we study signature schemes, which are also called digital signatures. A "conventional" 
handwritten signature attached to a document is used to specify the person responsible for it. A signature 
is used in everyday situations such as writing a letter, withdrawing money from a bank, signing a 
contract, etc. 

A signature scheme is a method of signing a message stored in electronic form. As such, a signed 
message can be transmitted over a computer network. In this chapter, we will study several signature 
schemes, but first we discuss some fundamental differences between conventional and digital signatures. 

First is the question of signing a document. With a conventional signature, a signature is physically part 
of the document being signed. However, a digital signature is not attached physically to the message that 
is signed, so the algorithm that is used must somehow "bind" the signature to the message. 

Second is the question of verification. A conventional signature is verified by comparing it to other, 
authentic signatures. For example, when someone signs a credit card purchase, the salesperson is 
supposed to compare the signature on the sales slip to the signature on the back of the credit card in 
order to verify the signature. Of course, this is not a very secure method as it is relatively easy to forge 
someone else's signature. Digital signatures, on the other hand, can be verified using a publicly known 
verification algorithm. Thus, "anyone" can verify a digital signature. The use of a secure signature 
scheme will prevent the possibility of forgeries. 

Another fundamental difference between conventional and digital signatures is that a "copy" of a signed 
digital message is identical to the original. On the other hand, a copy of a signed paper document can 
usually be distinguished from an original. This feature means that care must be taken to prevent a signed 
digital message from being reused. For example, if Bob signs a digital message authorizing Alice to 
withdraw $100 from his bank account (i.e., a check), he only wants Alice to be able to do so once. So 
the message itself should contain information, such as a date, that prevents it from being reused. 
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A signature scheme consists of two components: a signing algorithm and a verification algorithm. Bob 
can sign a message x using a (secret) signing algorithm sig. The resulting signature sig(x) can 
subsequently be verified using a public verification algorithm ver. Given a pair (x, y), the verification 
algorithm returns an answer "true" or "false" depending on whether the signature is authentic. 

Here is a formal defintion of a signature scheme. 

DEFINITION 6.1 A signature scheme is a five-tuple where the following conditions 

are satisfied: 

1. is a finite set of possible messages 

2. j\ is a finite set of possible signatures 

3. /C, the keyspace, is a finite set of possible keys 

4. For each , there is a signing algorithm and a corresponding 
verification algorithm y £ r K € V Each sig :*P ~~ * <A and ver X ^4 {true, 

K K 

false} are functions such that the following equation is satisfied for every message ^ 6 P and 
for every signature V £ 



public function and sig will be secret. It should be computationally infeasible for Oscar to "forge" 

Bob's signature on a message x. That is, given x, only Bob should be able to compute the signature y 
such that ver{x, y) = true. A signature scheme cannot be unconditionally secure, since Oscar can test all 
possible signatures y for a message x using the public algorithm ver, until he finds the right signature. 
So, given sufficient time, Oscar can always forge Bob's signature. Thus, as was the case with public-key 
cryptosystems, our goal is to find signature schemes that are computationally secure. 

As our first example of a signature scheme, we observe that the RSA public-key cryptosystem can be 
used to provide digital signatures. See Figure 6.1. 

Thus, Bob signs a message x using the RSA decryption rule d . Bob is the only person that can create 
the signature since d = sig is secret. The verification algorithm uses the RSA encryption rule e . 
Anyone can verify a signature since e is public. 
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Note that anyone can forge Bob's signature on a "random" message x by computing x = e(y) for some 

K 

y; then y = sigJx). One way around this difficulty is to require that messages contain sufficient 

redundancy that a forged signature of this type does not correspond to a "meaningful" message x except 
with a very small probability. Alternatively, the use of hash functions in conjunction with signature 
schemes will eliminate this method of forging (cryptographic hash functions will be discussed in 
Chapter 7). 



, - I -. r n 1 n r r-r* - . H ■ I IrH" K~l I 
hmdlnrikdh^iiLiiBBi 

■/jI - a - ^ ■ 



Figure 6.1 RSA Signature Scheme 



Finally, let's look briefly at how we would combine signing and public-key encryption. Suppose Alice 
wishes to send a signed, encrypted message to Bob. Given a plaintext x, Alice would compute her 
signature y = sig (x), and then encrypt both x and y using Bob's public encryption function e , 

/\11CC JjOD 

obtaining z = e n , (x, y). The ciphertext z would be transmitted to Bob. When Bob receives z, he first 

Bob 

decrypts it with his decryption function d , to get (x, y). Then he uses Alice's public verification 

Bob 

function to check that ver (x, y) = true. 

Alice J 
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What if Alice first encrypted x, and then signed the result? Then she would compute 

z = e B <>b(x) mdy = sig Mi ^(z). 

Alice would transmit the pair (z, y) to Bob. Bob would decrypt z, obtaining x, and then verify the 
signature y on x using ver . One potential problem with this approach is that if Oscar obtains a pair 

/\11CC 

(z, y) of this type, he could replace Alice's signature y by his own signature 

(Note that Oscar can sign the ciphertext z = e^ (x) even though he doesn't know the plaintext x.) Then, 

Bob 

if Oscar transmits (z, y) to Bob, Oscar's signature will be verified by Bob using ver , and Bob may 

(Jscttr 

infer that the plaintext x originated with Oscar. Because of this potential difficulty, most people 
recommend signing before encrypting. 



trl^iiJI-PIKMjl 

r -, i 5 . . -« 

I a A ■ u l ■ A h ^mam mtamm J ■ 

Figure 6.2 ElGamal Signature Scheme 

6.2 The ElGamal Signature Scheme 

We now describe the ElGamal Signature Scheme, which was described in a 1985 paper. A 
modification of this scheme has been adopted as a digital signature standard by the National Institute of 
Standards and Technology (NIST). The ElGamal Scheme is designed specifically for the purpose of 
signatures, as opposed to RSA, which can be used both as a public-key cryptosystem and a signature 
scheme. 



The ElGamal Signature Scheme is non-deterministic, as was the ElGamal Public-key Cryptosystem. 
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This means that there are many valid signatures for any given message. The verification algorithm must 
be able to accept any of the valid signatures as authentic. The description of the ElGamal Signature 
Scheme is given in Figure 6.2. 

If the signature was constructed correctly, then the verification will succeed, since 

{Py* ~ a^a k * (mod p) 
= oe x (mod p), 

where we use the fact that 

a-y + kS = x (mod p - 1) + 

Bob computes a signature using both the secret value a (which is part of the key) and the secret random 
number k (which is used to sign one message, x). The verification can be accomplished using only public 
information. 

Let's do a small example to illustrate the arithmetic. 
Example 6. 1 

Suppose we take p = 467, a = 2,a = 127; then 

& = a a mod p 
= 2'" mod 467 
= 132. 

Suppose Bob wants to sign the message x = 100 and he chooses the random value k = 213 (note that gcd 
(213, 466) = 1 and 213" 1 mod 466 = 431). Then 

7 = mod 467 = 29 

and 

6 = (100 - 127 x 29)431 mod 466 = 51. 

Anyone can verify this signature by checking that 
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X32 29 29 51 = m (mod 467) 

and 

2 1G0 = m (mod 467). 

Hence, the signature is valid. 

Let's look at the security of the ElGamal Signature Scheme. Suppose Oscar tries to forge a signature 
for a given message x, without knowing a. If Oscar chooses a value y and then tries to find the 

corresponding 8, he must compute the discrete logarithm log^ oc (3" Y . On the other hand, if he first 

chooses 8 and then tries to find y, he is trying to "solve" the equation 

[Pj $ = a* (mod p) 

for the "unknown" y. This is a problem for which no feasible solution is known; however, it does not 
seem to be related to any well-studied problem such as the Discrete Logarithm problem. There also 
remains the possibility that there might be some way to compute y and 8 simultaneously in such a way 
that (y, 8) will be a signature. No one has discovered a way to do this, but conversely, no one has proved 
that it cannot be done. 

If Oscar chooses y and 8 and then tries to solve for x, he is again faced with an instance of the Discrete 

Logarithm problem, namely the computation of log^ (3^. Hence, Oscar cannot sign a "random" 

message using this approach. However, there is a method by which Oscar can sign a random message by 
choosing y, 8 and x simultaneously: Suppose i and j are integers, 0<i<p-2,0<j<p-2, and gcd(/', p - 
1) = 1. Then perform the following computations: 

■y = a*/P mod p 

t = -yj 1 mod ( P - 1) 

i=- 7 i>- l niod{p-l) 1 

where f l is computed modulo (p - 1) (this is where we require that j be relatively prime to p - 1). 

We claim that (y, 8) is a valid signature for the message x. This is proved by checking the verification 
condition: 
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= {Pa - ^'* (mod p) 
- a"™" 1 (mod p) 
= a* (mod p). 

We illustrate with an example. 
Example 6.2 

As in the previous example, suppose p = 467, a = 2 and (3 = 132. Suppose Oscar chooses i = 99 and j = 
179; then j 1 mod (p - 1) = 151. He would compute the following: 

7 = 2^132 m mod 467 = 117 
<5 = -117 x 151 mod 466 = 41 
x = 99x41 mod 466 = 331, 

Then (1 17, 41) is a valid signature for the message 331, as may be verified by checking that 

132 ,17 117 41 = 303 (mod 467) 

and 

2™ 1 = 303 (mod 467). 

Hence, the signature is valid. 

Here is a second type of forgery, in which Oscar begins with a message previously signed by Bob. 
Suppose (y, 8) is a valid signature for a message x. Then it is possible for Oscar to sign various other 
messages. Suppose h, i and j are integers, 0 < h, i,j < p - 2, and gcd(/zy- y'S, p - 1) = 1. Compute the 
following: 

X = modp 
p = t\{hy -j6y x mod(p-l) 
= X(hx + iS)[hy - jS)" 1 mod (p- 1), 

where (/iy- 78)" 1 is computed modulo (/? - 1). Then, it is tedious but straight-forward to check the 
verification condition: 
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0 A A* = a v (mod p). 

Hence (k, •) is a valid signature for x. 

Both of these methods produce valid forged signatures, but they do not appear to enable an opponent to 
forge a signature on a message of his own choosing without first solving a discrete logarithm problem. 
Hence, they do not seem to represent a threat to the security of the ElGamal Signature Scheme. 

Finally, we mention a couple of ways in which the ElGamal Scheme can be broken if it is used 
carelessly (these are further examples of protocol failures, some of which were discussed in the 
exercises of Chapter 4). First, the random value k used in computing a signature should not be revealed. 
For, if k is known, it is a simple matter to compute 

a = {x - kS)y~ : mod (p - 1). 

Of course, once a is known, then the system is broken and Oscar can forge signatures at will. 
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Another misuse of the system is to use the same value k in signing two different messages. This also 
makes it easy for Oscar to compute a and hence break the system. This can be done as follows. Suppose 
(y, 8^ is a signature on x j and (y, 8 2 ) is a signature on x . Then we have 

0V' - a Xl (mod p) 

and 

0V* = (mod p). 

Thus 

k 

Writing y = a , we obtain the following equation in the unknown k: 
which is equivalent to 

xi - x 2 = - <5-j) (mod p - 1). 

Now let d = gcd (6^ -§ 2 ,p- 1). Since d\ (p - 1) and d I (6^ - 8 2 ), it follows that d I (jc - jc ). Define 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch06/208-212.html (1 of 5)12/6/2003 9: 19:01 AM 



Cryptography: Theory and Practice: Signature Schemes 



X ~ 

d 

ri <$1 - fa 



Then the congruence becomes: 



x = kS (mod p ( ) 



Since gcd(8', p') = 1 , we can compute 

t = (S ! )~ l mod p , 

Then value of k is determined modulo p to be 

k = ar'e mod p f . 

This yields d candidate values for k: 

k = x'e + ip 1 mod (p — I) 

for some i, 0 < i < d - 1 . Of these d candidate values, the (unique) correct one can be determined by 
testing the condition 

7 = ct k (mod p), 
6.3 The Digital Signature Standard 

The Digital Signature Standard (or DSS) is a modification of the ElGamal Signature Scheme. It was 

published in the Federal Register on May 19, 1994 and adopted as a standard on December 1, 1994 
(however, it was first proposed in August, 1991). First, we want to motivate the changes that are made to 
ElGamal, and then we will describe how they are accomplished. 

In many situations, a message might be encrypted and decrypted only once, so it suffices to use any 
cryptosystem which is known to be secure at the time the message is encrypted. On the other hand, a 
signed message could function as a legal document such as a contract or will, so it is very likely that it 
would be necessary to verify a signature many years after the message is signed. So it is important to 
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take even more precautions regarding the security of a signature scheme as opposed to a cryptosystem. 
Since the ElGamal Scheme is no more secure than the Discrete Logarithm problem, this necessitates 
the use of a large modulus p. Certainly p should have at least 512 bits, and many people would argue 
that the length of p should be 1024 bits in order to provide security into the foreseeable future. 

However, even a 512 bit modulus leads to a signature having 1024 bits. For potential applications, many 
of which involve the use of smart cards, a shorter signature is desirable. DSS modifies the ElGamal 
Scheme in an ingenious way so that a 160-bit message is signed using a 320-bit signature, but the 
computations are done using a 512-bit modulus p. The way that this done is to work in a subgroup of 

1? "* 160 

A p of size 2 . The assumed security of the scheme is based on the belief that finding discrete 
logarithms in this specified subgroup of **p is secure. 

The first change we make is to change the "-" to a "+" in the definition of 8, so 

5 — (j: + a-y)k~ ] mod (p - 1}. 

This changes the verification condition to the following: 

= 7* (mod p). (6.1) 

If gcd(x + ay,p - 1) = 1, then 5" 1 mod (p - 1) exists, and we can modify condition (6.1), producing the 
following: 

o*'"*/P*"' - ^ (mod p), (6.2) 

Now here is the major innovation in the DSS. We suppose that q is a 160-bit prime such that q I (p - 1), 
and oc is a qth root of 1 modulo p. (It is easy to construct such an oc: Let cx Q be a primitive element of ^P, 

and define oc = a^ P ' V)iq mod p.) Then (3 and y will also be qih roots of 1. Hence, any exponents of oc, (3 

and yean be reduced modulo q without affecting verification condition (6.2). The tricky point is that y 
appears as an exponent on the left side of (6.2), and again — but not as an exponent — on the right side 
of (6.2). So if y is reduced modulo q, then we must also reduce the entire left side of (6.2) modulo q in 
order to perform the verification. Observe that (6.1) will not work if the extra reductions modulo q are 
done. The complete description of the DSS is given in Figure 6.3. 

Notice that is necessary that ^ ^ 0 (mod q) since the value 5" 1 mod q is needed to verify the signature 
(this is analogous to the requirement that gcd(8, p-l) = 1 when we modified (6.1) to obtain (6.2)). If Bob 
computes a value 5 = 0 (mod q) in the signing algorithm, he should reject it and construct a new 
signature with a new random k. We should point out that this is not likely to cause a problem in practice: 
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the probability that 8 = 0 (mod q) is likely to be on the order of 2~ 160 , so for all intents and purposes it 
will almost never happen. 
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Figure 6.3 Digital Signature Standard 



Here is a small example to illustrate. 



Example 6.3 

Suppose we take q = 101 and p = ISq + 1 = 7879. 3 is a primitive element in ^7879, so we can take 



a = 3™ mod 7879 = 170. 



Suppose a = 75; then 



,3 = a* mod 7879 = 4567. 



Now, suppose Bob wants to sign the message x = 22 and he chooses the random value k = 50, so 

k~ l mod 101 = 99. 

Then 

7 = (170 50 mod 7679) mod 101 
= 2518 mod 101 
= 94 

and 



<S = (22 + 75 x 94)99 mod 101 
= 97. 
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The signature (94, 97) on the message 22 is verified by the following computations: 

S~ l = 97"' mod 101 = 25 
ci = 22 x 25 mod 101 = 45 
e 2 = 94 x 25 mod 101 = 27 

(170^4567 27 mod 7879) mod 101 = 2518 mod 101 = 94. 

Hence, the signature is valid. 

When the DSS was proposed in 1991, there were several criticisms put forward. One complaint was that 
the selection process by NIST was not public. The standard was developed by the National Security 
Agency (NSA) without the input of U. S. industry. Regardless of the merits of the resulting scheme, 
many people resented the "closed-door" approach. 

Of the technical criticisms put forward, the most serious was that the size of the modulus p was fixed at 
512 bits. Many people would prefer that the modulus size not be fixed, so that larger modulus sizes 
could be used if desired. In reponse to these comments, NIST altered the description of the standard so 
that a variety of modulus sizes are allowed, namely, any modulus size divisible by 64, in the range from 
512 to 1024 bits. 
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Another complaint about the DSS was that signatures can be generated considerably faster than they can 
be verified. In contrast, if RSA is used as a signature scheme and the public verification exponent is very 
small (say 3, for example), then verification can be performed much more quickly than signing. This 
leads to a couple of considerations concerning the potential applications of the signature scheme: 

1. A message will only be signed once. On the other hand, it might be necessary to verify the 
signature many times over a period of years. This suggests that a faster verification algorithm 
would be desirable. 
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Figure 6.4 Lamport Signature Scheme 

2. What types of computers are likely to be doing the signing and verifying? Many potential 
applications involve smart cards, with limited processing power, communicating with a more 
powerful computer. So one might try to design a scheme so that fewer computations are likely to 
be done by a card. But one can imagine situations where a smart card would generate a signature, 
and other situations where a smart card would verify a signature, so it is difficult to give a 
definitive answer here. 

The response of NIST to the question of signature generation/ verification times is that it does not really 
matter which is faster, provided that both can be done sufficiently quickly. 

6.4 One-time Signatures 

In this section, we describe a conceptually simple way to construct a one-time signature scheme from 
any one-way function. The term "one-time" means that only one message can be signed. (The signature 
can be verified an arbitrary number of times, of course.) The description of the scheme, known as the 
Lamport Signature Scheme, is given in Figure 6.4. 

Informally, this is how the system works. A message to be signed is a binary £-tuple. Each bit is signed 
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individually: the value z. . corresponds to the zth bit of the message having the value j (j = 0, 1). Each z. . 
is the image of y. . under the one-way function/. The zth bit of the message is signed using the preimage 
y of the z corresponding to the zth bit of the message. The verification consists simply of checking 
that each element in the signature is the preimage of the appropriate public key element. 

We illustrate the scheme by considering one possible implementation using the exponentiation function/ 

X 

(x) = a mod p, where oc is a primitive element modulo p. 

Example 6.4 

7879 is prime and 3 is a primitive element in ^7879. Define 

fix) = 3* mod 7S79, 

Suppose Bob wishes to sign a message of three bits, and he chooses the six (secret) random numbers 

y\,o = 5831 
Vul = 735 
J/2.0 = 803 
92.1 = 2467 
= 4285 
ifaj = 6449. 

Then he computes the images of the y's under the function/: 

Z].t» = 2009 
= 3810 
z 2t Q = 4672 
z-zj = 4721 
z 3> o - 26S 
z 3i j = 5731. 

These z's are published. Now, suppose Bob wants to sign the message 
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The signature for x is 



Cih^IfejiitejO - (735,2467,4285). 



To verify this signature, it suffices to compute the following: 




mod 7879 = 



mo 



2467 



mod 7879 = 



4721 



mod 7879 = 



268. 



Hence, the signature is valid. 

Oscar cannot forge a signature because he is unable to invert the one-way function /to obtain the secret 
y's. However, the signature scheme can be used to sign only one message. For, given signatures for two 
different messages, it is (usually) an easy matter for Oscar to construct signatures for further messages 
(different from the first two). 

For example, suppose the messages (0, 1, 1) and (1,0, 1) are both signed using the same scheme. The 
message (0, 1, 1) would have as its signature the triple (y l Q ,y 2l , y 3 { ), and the message (1,0, 1) would 

be signed with (y^ ^ y 2 , y 3 ^. Given these two signatures, Oscar can manufacture signatures for the 

messages (1, 1, 1) (namely, (y 1 1? y 2 1? y 3 { )) and (0, 0, 1) (namely, (y J Q , y 2Q , y 3 

Even though this scheme is quite elegant, it is not of great practical use due to the size of the signatures 
it produces. For example, if we use the modular exponentiation function, as in the example above, then a 
secure implementation would require that p be at least 512 bits in length. This means that each bit of the 
message is signed using 512 bits. Consequently, the signature is 512 times as long as the message! 

We now look at a modification due to Bos and Chaum that allows the signatures to be made somewhat 
shorter, with no loss of security. In the Lamport Scheme, the reason that Oscar cannot forge a signature 
on a (second) message, given a signature on one message, is that the y's corresponding to one message 
are never a subset of the y's corresponding to another (distinct) message. 

Suppose we have a set jB of subsets of a set B such that Q ^ only if B = B 2 , for all B Q. . 
Then & is said to satisfy the Sperner property. Given a set B of even cardinality 2n, it is known that the 
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maximum size of a set £> of subsets of B having the Sperner property is . This can easily be 
obtained by taking all the w-subsets of B: clearly no ^-subset is contained in another w-subset. 

Now suppose we want to sign a k-bit message, as before, and we choose n large enough so that 




Let \B\ = 2n and let denote the set of ^-subsets of B. Let be a publicly known injection. 

Then we can associate each possible message with an w-subset in We will have In y's and In z's, and 
each message will be signed with n y's. The complete description of the Bos-Chaum Scheme is given in 
Figure 6.5. 
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The advantage of the Bos-Chaum Scheme is that signatures are shorter than with the Lamport 
Scheme. For example, suppose we wish to sign a message of six bits (i.e., k = 6). Since 2 6 = 64 and 

tj) ~ '%e can take n = 4. This allows a six-bit message to be signed with four y's, as opposed to six 
with Lamport. As well, the key is shorter, consisting of eight z's as opposed to twelve with Lamport. 
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Figure 6.5 Bos-Chaum Signature Scheme 

The Bos-Chaum Scheme requires an injective function <j) that associates an w-subset of a 2n-set with 
each possible binary /c-tuple x = (x , x\ We present one simple algorithm to do this in Figure 6.6. 

Applying this algorithm withx = (0, 1, 0, 0, 1, 1), for example, yields 



0(x) = {2,4,6,8}. 

In general, how big is n in the Bos-Chaum Scheme as compared to kl We need to satisfy the inequality 
2* < l 2n \ 

— * n K If we estimate the binomial coefficient 



/2n\ _ (2n) 
\n)' ,,)■ 



using Stirling's formula, we obtain the quantity ^ 'Vv'^". After some simplification, the inequality 
becomes 



k < 2n - 
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Figure 6.6 Computation of <|) in the Bos-Chaum Scheme 

Asymptotically, n is about k/2, so we obtain an almost 50% reduction in signature size by using the Bos- 
Chaum Scheme. 

6.5 Undeniable Signatures 

Undeniable signatures were introduced by Chaum and van Antwerpen in 1989. They have several novel 
features. Primary among these is that a signature cannot be verified without the cooperation of the 
signer, Bob. This protects Bob against the possibility that documents signed by him are duplicated and 
distributed electronically without his approval. The verification will be accomplished by means of a 
challenge-and-response protocol. 

But if Bob's cooperation is required to verify a signature, what is to prevent Bob from disavowing a 
signature he made at an earlier time? Bob might claim that a valid signature is a forgery, and either 
refuse to verify it, or carry out the protocol in such a way that the signature will not be verified. To 
prevent this from happening, an undeniable signature scheme incorporates a disavowal protocol by 
which Bob can prove that a signature is a forgery. Thus, Bob will be able to prove in court that a given 
forged signature is in fact a forgery. (If he refuses to take part in the disavowal protocol, this would be 
regarded as evidence that the signature is, in fact, genuine.) 

Thus, an undeniable signature scheme consists of three components: a signing algorithm, a verification 
protocol, and a disavowal protocol. First, we present the signing algorithm and verification protocol of 
the Chaum-van Antwerpen Undeniable Signature Scheme in Figure 6.7. 




Figure 6.7 Chaum-van Antwerpen Undeniable Signature Scheme 

W 

We should explain the roles of p and q in this scheme. The scheme lives in P; however, we need to be 

able to do computations in a multiplicative subgroup G of of prime order. In particular, we need to 
be able to compute inverses modulo IGI, which is why IGI should be prime. It is convenient to take p = 
2q + 1 where q is prime. In this way, the subgroup G is as large as possible, which is desirable since 
messages and signatures are both elements of G. 
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We first prove that Alice will accept a valid signature. In the following computations, all exponents are 
to be reduced modulo q. First, observe that 

d = d 1 (mod p) 
=V lrt ~>^ _1 (mod p). 

Since 

0 = a a (mod p), 

we have that 

3 a ' = a (mod p). 

Similarly, 

y — x a (mod p) 

implies that 

y a ' = £ (rn(Hl y} r 

Hence, 

d = a* 1 ft* 3 (modri, 

as desired. 

Here is a small example. 
Example 6.5 

Suppose we take p = 467. Since 2 is a primitive element, 2 = 4 is a generator of G, the quadratic 
residues modulo 467. So we can take oc = 4. Suppose a = 101; then 

0 = a a mod 467 = 449, 
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Bob will sign the message x = 1 19 with the signature 

y= 119 101 mod 467 - 120. 

Now, suppose Alice wants to verify the signature y. Suppose she chooses the random values e = 38, e^ 

= 397. She will compute c = 13, whereupon Bob will respond with d = 9. Alice checks the response by 
verifying that 

119 38 4 m = 9 {mod 467). 

Hence, Alice accepts the signature as valid. 

We next prove that Bob cannot fool Alice into accepting a fradulent signature as valid, except with a 
very small probability. This result does not depend on any computational assumptions, i.e., the security 
is unconditional. 

THEOREM 6.1 

IfV^^ a (mod p), then Alice will accept y as a valid signature for x with probability l/q. 

PROOF First, we observe that each possible challenge c corresponds to exactly q ordered pairs (e , e^ 

(this is because y and |3 are both elements of the multiplicative group G of prime order q). Now, when 
Bob receives the challenge c, he has no way of knowing which of the q possible ordered pairs (e^, e^ 

Alice used to construct c. We claim that, if ^ ^ r " (mod p), then any possible response de G that Bob 
might make is consistent with exactly one of the q possible ordered pairs (e , e^. 

Since oc generates G, we can write any element of G as a power of oc, where the exponent is defined 

uniquely modulo q. So write c = a,d = a,x = a, and ^ ~ ° . where 1 J* 1 9 and all 

arithmetic is modulo p. Consider the following two congruences: 

c = y^0 e ^ (mod p) 
d = x €l a e * (mod p). 

This system is equivalent to the following system: 
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i 



= &?i + ae? (mod q) 
S kc\ + (mod q). 



Now, we are assuming that 

y £x a (mod p), 

so it follows that 

f ^ ah [mod q). 

Hence, the coefficient matrix of this system of congruences modulo q has non-zero determinant, and 
thus there is a unique solution to the system. That is, every d e G is the correct response for exactly one 
of the q possible ordered pairs (e , e^), Consequently, the probability that Bob gives Alice a response d 

that will be verified is exactly llq, and the theorem is proved. 
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We now turn to the disavowal protocol. This protocol consists of two runs of the verification protocol 
and is presented in Figure 6.8. 

Steps 1-4 and steps 5-8 comprise two unsuccessful runs of the verification protocol. Step 9 is a 
"consistency check" that enables Alice to determine if Bob is forming his responses in the manner 
specified by the protocol. 

The following example illustrates the disavowal protocol. 
Example 6.6 

As before, suppose p = 467, oc = 4, a = 101 and (3 = 449. Suppose the message x = 286 is signed with the 
(bogus) signature y = 83, and Bob wants to convince Alice that the signature is invalid. 



F If-i l .-fcHH 



Figure 6.8 Disavowal protocol 

Suppose Alice begins by choosing the random values e = 45, = 237. Alice computes c = 305 and Bob 
responds with d = 109. Then Alice computes 

2 g 6 45 4 237 mo<J 467 = 14Q 

Since 149 # 109, Alice proceeds to step 5 of the protocol. 

Now suppose Alice chooses the random values^ = 125, f = 9. Alice computes C = 270 and Bob 
responds with D = 68. Alice computes 

286 125 4 9 mod 467 = 25. 
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Since 25 ^ 68, Alice proceeds to step 9 of the protocol and performs the consistency check. This check 
succeeds, since 

(109 x 4" 237 ) m = 1S8 (mod 467) 

and 

(68 x 4"V 5 = 188 (mod 467), 

Hence, Alice is convinced that the signature is invalid. 
We have to prove two things at this point: 

1. Bob can convince Alice that an invalid signature is a forgery. 

2. Bob cannot make Alice believe that a valid signature is a forgery except with a very small 
probability. 

THEOREM 6.2 

IfV^ x (mod p), and Alice and Bob follow the disavowal protocol, then 
PROOF Using the facts that 

d = c* (mod p), 
c = y ei /3 ej (mod p) 

and 

0 = a a (mod p), 

we have that 
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{da-**)* 1 



((/^rV'*)'' (modp) 



tfi*~ x t\gp*~ x h a ~**h (mod p) 

jfia-'/i^a/i^-ei/i ( mo d p) 



A similar computation, using the facts that & — O (mod p), C — y^ l 0^ 2 ( mo d /?) and |3 
(mod p), establishes that 



a 



[Derby* = y 



*» fl " (mod p), 



so the consistency check in step 9 succeeds. 

Now we look at the possibility that Bob might attempt to disavow a valid signature. In this situation, we 
do not assume that Bob follows the protocol. That is, Bob might not construct d and D as specified by 
the protocol. Hence, in the following theorem, we assume only that Bob is able to produce values d and 
D which satisfy the conditions in steps 4, 8, and 9 of the protocol presented in Figure 6.8. 



THEOREM 6.3 



a 

Suppose y=x (mod p) and Alice follows the disavowal protocol. If 



d^x ei a* a (modp) 



and 



D £ % U QL h (mod p), 



then the probability that 



is 1 - l/q. 



PROOF Suppose that the following congruences are satisfied: 
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y = i fl (mod p) 
dgz^n** (mod p) 
D ^ x^<x f * (mod p) 
(da-^yi = {Da^^Y 1 (mod p). 

We will derive a contradiction. 

The consistency check (step 9) can be rewritten in the following form: 

D = do fl a h (mod p) t 

where 

d 0 = rf l /* la -*a/*i modp 

is a value that depends only on steps 1-4 of the protocol. 

Applying Theorem 6.1, we conclude that y is a valid signature for d Q with probability 1 - II q. But we are 
assuming that y is a valid signature for x. That is, with high probability we have 

x a = do fl (mod p), 

which implies that x = d . 
However, the fact that 

d $ x €1 a ea (mod p) 

means that 

x £ d^a-^f'* {mod p). 

Since 

do = d l/ti a-<* /n (mod p}> 

we conclude that x ^ d Q and we have a contradiction. 
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Hence, Bob can fool Alice in this way with probability llq. 

6.6 Fail-stop Signatures 

A fail-stop signature scheme provides enhanced security against the possibility that a very powerful 
adversary might be able to forge a signature. In the event that Oscar is able to forge Bob's signature on a 
message, Bob will (with high probability) subsequently be able to prove that Oscar's signature is a 
forgery. 

In this section, we describe a fail-stop signature scheme constructed by van Heyst and Pedersen in 1992. 
This is a one-time scheme (only one message can be signed with a given key). The system consists of 
signing and verification algorithms, as well as a "proof of forgery" algorithm. The description of the 
signing and verification algorithms of the van Heyst and Pedersen Fail-stop Signature Scheme is 
presented in Figure 6.9. 

It is straightforward to see that a signature produced by Bob will satisfy the verification condition, so 
let's turn to the security aspects of this scheme and how the fail-stop property works. First we establish 
some important facts relating to the keys of the scheme. We begin with a definition. Two keys (y , y , a , 

a , b , bj and ( n i 7^ q \ i a 2 > *i » &a) are said to be equivalent if ^ and Tte = ^a--. It is easy to see 

that there are exactly q keys in any equivalence class. 

We establish several lemmas. 

LEMMA 6.4 

Suppose K and K' are equivalent keys and suppose that ver (x, y) = true. Then ver (x, y) = true. 

K K 

PROOF Suppose K = (y y a a b , bj and K = O 1 1 ^ 2 3 a l 1 a 2 1 ^1 > &2), where 

7i = a a> 0 a2 mod p = a a ''^ mod p 

and 

7a = mod p = o^#** mod p. 

Suppose x is signed using K, producing the signature y = (y y ), where 
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Vl — <*i + Jffri mod q t 
yi — a?, + xb% mod q< 



Now suppose that we verify y using K'\ 



a K0V* = a <+**>\ p^+zb* (mod p) 
= of* (mod p) 
= 7i72 r (mod p). 



Thus, y will also be verified using K'. 



ft "ft"^^l 

"-r-'.r nH ^-4 



Figure 6.9 van Heyst and Pedersen Fail-stop Signature Scheme 



LEMMA 6.5 



Suppose K is a key and y = sig (x). Then there are exactly q keys K' equivalent to K such that y = sig 

K K 

(X). 

PROOF Suppose 7 and J 2 are the public components of K. We want to determine the number of 4- 
tuples (a h a 2 , b±, b 2 ) such that the following congruences are satisfied: 

7! = a 9i 0^ (mod p) 
*Y2 = tf* 1 /?* 2 (mod p) 
yi = ci 4- xb\ (mod q) 
y 2 = a 2 + ifra (mod q). 
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Since oc generates G, there exist unique exponents C * * ^ ^ ^0 such that 



71 = o Cl (mod p), 
Tto = a** (mod p) 



and 



£ = a* 0 (mod p)* 

Hence, it is necessary and sufficient that the following system of congruences be satisfied: 

c\ = cii + (IqH-a (mod q) 
c.2 = +00^2 (mod 

= oi + arbi (mod q) 
y 2 = aa + arfr? (mod <jV 

This system can, in turn, be written as a matrix equation in G, as follows: 



/ 1 flo 

0 0 

1 0 

V o i 



0 0 \ 

x 0 
0 i / 



f *1 \ 

V 'a / 



3/1 

\ ^2 / 



Now, the coefficient matrix of this system can be seen to have rank three: Clearly, the rank is at least 
three since rows 1, 2 and 4 are linearly independent over 9. And the rank is at most three since 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch06/226-229.html (1 of 5)12/6/2003 9: 19: 10 AM 



Cryptography: Theory and Practice:Signature Schemes 
1 



the rank of a matrix is the maximum number of linearly independent rows it contains 



n +xn -r 3 -aon = (0,0,0,0), 

where r denotes zth row of the matrix. 

i 

Now, this system of equations has at least one solution, obtained by using the key K. Since the rank of 
the coefficient matrix is three, it follows that the dimension of the solution space is 4 - 3 = 1, and there 
are exactly q solutions. The result follows. 

By similar reasoning, the following result can be proved. We omit the proof. 
LEMMA 6.6 

Suppose K is a key, y = sig (x), and ver {x, y) = true, where x ^ x. Then there is at most one key K' 

K K 

equivalent to K such that y = sig (x) and y = sig Ax). 

K K 

Let's interpret what the preceding two lemmas say about the security of the scheme. Given that y is a 
valid signature for message x, there are q possible keys that would have signed x with y. But for any 
message x ^ x, these q keys will produce q different signatures on x. Thus, the following theorem 
results. 

THEOREM 6.7 

Given that sig (x) = y andx ^x, Oscar can compute sig (x') with probablity l/q. 

Note that this theorem does not depend on the computational power of Oscar: the stated level of security 
is obtained because Oscar cannot tell which of q possible keys is being used by Bob. So the security is 
unconditional. 

We now go on to look at the fail-stop concept. What we have said so far is that, given a signature y on 
message jc, Oscar cannot compute Bob's signature y on a different message x . It is still conceivable that 
Oscar can compute a forged signature y" ^ sig (x) which will still be verified. However, if Bob is given 

a valid forged signature, then with probability 1 - l/q he can produce a "proof of forgery." The proof of 
forgery is the value a Q = log^ (3, which is known only to the central authority. 

So we assume that Bob possesses a pair (x\ y") such that ver (x, y") = true and y" ^ sigix). That is, 
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71 V' =a v "&£ (mod p)> 

where y" = "). Now, Bob can compute his own signature on x, namely / = *), and 

it will be the case that 

7172*' = Of^^ (mod p). 

Hence, 

flfV^i = a"^ 1 ^ (mod j>) 

Writing K " mod /?, we have that 



or 



3/i' -+ 00 y% = y\ + ooyi (mod 



This simplifies to give 



stf - = ootffi - l£) (mod a). 

Now, (mod <?) since y' is a forgery. Hence, (&£ ~~ f? ) )" mod g exists, and 

oo = iog Q 0 - (y? - - y?)" 1 mod ^ 

Of course, by accepting such a proof of forgery, we assume that Bob cannot compute the discrete 
logarithm log^ (3 by himself. This is a computational assumption. 

Finally, we remark that the scheme is a one-time scheme since Bob's key K can easily be computed if 
two messages are signed using K. 

We close with an example illustrating how Bob can produce a proof of forgery. 
Example 6. 7 
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Suppose p = 3467 = 2 x 1733 + 1. The element oc = 4 has order 1733 in Zmot*. Suppose that a = 1567, 
so 

& = 4 1$$7 mod 3467 = 514, 

(Recall that Bob knows the values of a and (3, but not a .) Suppose Bob forms his key using ^ = 888, a 2 
= 1024, = 786 and h = 999, so 

1 2 

71 = 4 888 514 1024 mod 3467 = 3405 

and 

72 = 4 786 514* 99 mod 3467 = 2281- 

Now, suppose Bob is presented with the forged signature (822, 55) on the message 3383. This is a valid 
signature since the verification condition is satisfied: 

3405 x 22S1 3S83 - 2282 (mod 3467) 

and 

4 822 514 5S = 2282 (mod 3467). 

On the other hand, this is not the signature Bob would have constructed. Bob can compute his own 
signature to be 

(888 + 33S3 x 786 mod 1733, 1024 + 3383 x 999 mod 1733) = (1504, 1291). 

Then, he proceeds to calculate the secret discrete log 

«o = (S22 - 1504){1291 - 55)^ mod 1733 = 1567. 

This is the proof of forgery. 

6.7 Notes and References 

For a nice survey of signature schemes, we recommend Mitchell, Piper, and Wild [MPW92] . This paper 
also contains the two methods of forging ElGamal signatures that we presented in Section 6.2. 
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The ElGamal Signature Scheme was presented in ElGamal [EL85]. The Digital Signature Standard 

was first published by NIST in August 1991, and it was adopted as a standard in December 1994 
[NBS94]. There is a lengthy discussion of DSS and the controversy surrounding it in the July 1992 issue 
of the Communications of the ACM. For a response by NIST to some of the questions raised, see [SB93]. 

The Lamport Scheme is described in the 1976 paper by Diffie and Hellman [DH76]; the modification 
by Bos and Chaum is in [BC93]. The undeniable signature scheme presented in Section 6.5 is due to 
Chaum and van Antwerpen [CVA90]. The fail-stop signature scheme from Section 6.6 is due to van 
Heyst and Pedersen [VHP93]. 

Some examples of well-known "broken" signature schemes include the Ong-Schnorr-Shamir Scheme 
[OSS85] (broken by Estes et al. [EAKMM86]); and the Birational Permutation Scheme of Shamir 
[SH94] (broken by Coppersmith, Stern, and Vaudenay [CSV94]). Finally, ESIGN is a signature scheme 
due to Fujioka, Okamoto, and Miyaguchi [FOM91]. Some versions of the scheme were broken, but the 
variation in [FOM91] has not been broken. 
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Exercises 

6.1 Suppose Bob is using the ElGamal Signature Scheme, and he signs two messages x and x^ 
with signatures (y, 8^ and (y, 8 2 ), respectively. (The same value for y occurs in both signatures.) 
Suppose also that gcd(8j - 8 ,p - 1) = 1. 

(a) Describe how k can be computed efficiently given this information. 

(b) Describe how the signature scheme can then be broken. 

(c) Suppose p = 31847, oc = 5 and (3 = 25703. Perform the computation of k and a, given 
the signature (23972, 31396) for the message x = 8990 and the signature (23972, 20481) 
for the message x = 31415. 

6.2 Suppose I implement the ElGamal Signature Scheme with p = 31847, a = 5 and (3 = 26379. 
Write a computer program which does the following. 

(a) Verify the signature (20679, 1 1082) on the message x = 20543. 

(b) Determine my secret exponent, a, using the Shanks time-memory tradeoff. Then 
determine the random value k used in signing the message x. 

6.3 Suppose Bob is using the ElGamal Signature Scheme as implemented in Example 6.1: p = 
467, oc = 2 and (3 = 132. Suppose Bob has signed the message x = 100 with the signature (29, 51). 
Compute the forged signature that Oscar can then form by using h = 102, i = 45 and j = 293. 
Check that the resulting signature satisfies the verification condition. 

6.4 Prove that the second method of forgery on the ElGamal Signature Scheme, described in 
Section 6.2, also yields a signature that satisfies the verification condition. 

6.5 Here is a variation of the ElGamal Signature Scheme. The key is constructed in a similar 

manner as before: Bob chooses a e to be a primitive element, a is a secret exponent (0 < a < 

p - 2) such that gcd (a, p - l) = 1, and (3 = oc mod p. The key K = (a, a, (3), where a and (3 are 

public and a is secret. Let 1 e be a message to be signed. Bob computes the signature sig(x) 
- (y, 8), where 
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7 = at mod p 



and 

J = (x - fc7)a -1 mod (p - 1). 

The only difference from the original ElGamal Scheme is in the computation of 8. Answer the 
following questions concerning this modified scheme. 



(a) Describe how a signature (y, 8) on a message x would be verified using Bob's public 
key. 

(b) Describe a computational advantage of the modified scheme over the original scheme. 

(c) Briefly compare the security of the original and modified scheme. 

6.6 Suppose Bob uses the DSS with q=\0\,p = 7879, a = 170, a = 75 and (3 = 4567, as in 
Example 6.3. Determine Bob's signature on the message x = 52 using the random value k = 49, 
and show how the resulting signature is verified. 

6.7 In the Lamport Scheme, suppose that two fc-tuples, x and x, are signed by Bob. Let 

t = # ) denote the number of coordinates in which x and x differ. Show at Oscar can now 
sign 2 f — 2 new messages. 

6.8 In the Bos-Chaum Scheme with k = 6 and n = 4, suppose that the messages x = (0, 1, 0, 0, 1, 

1) and x' = (1, 1,0, 1, 1, 1) are signed. Determine the new messages that be signed by Oscar, 
knowing the signatures on x and x. 

6.9 In the Bos-Chaum Scheme, suppose that two fc-tuples x and x are signed by Bob. Let 

I = \${x) U$(ar )|. Show that Oscar can now sign (n.) ~ ^ new messages. 

6.10 Suppose Bob is using the Chaum-van Antwerpen Undeniable Signature Scheme as in 

Example 6.5. That is, p = 467, oc = 4, a = 101 and (3 = 449. Suppose Bob is presented with a 
signature y = 25 on the message x = 157 and he wishes to prove it is a forgery. Suppose Alice's 
random numbers are = 46, = 123, / = 198 and/ 2 = 11 in the disavowal protocol. Compute 

Alice's challenges, c and d, and Bob's responses, C and D, and show that Alice's consistency 
check will succeed. 

6.11 Prove that each equivalence class of keys in the Pedersen-van Heyst Fail-stop Signature 

Scheme contains q keys. 

6.12 Suppose Bob is using the Pedersen-van Heyst Fail-stop Signature Scheme, where p = 
3467, oc = 4, a = 1567 and (3 = 514 (of course, the value of a Q is not known to Bob). 

(a) Using the fact that a Q = 1567, determine all possible keys 
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K = (7i»ltt,ai, 03,(1,63) 

such that sig (42) = (1118, 1449). 

K 

(b) Suppose that sig (42) = (1118, 1449) and sig (969) = (899, 471). Without using the 

K K 

fact that a Q = 1567, determine the value of K (this shows that the scheme is a one-time 
scheme). 

6.13 Suppose Bob is using the Pedersen-van Heyst Fail-Stop Signature Scheme with p = 
5087, a = 25 and (3 = 1866. Suppose the key is 

K - (5065, 5076, 144, 874, 1873, 2345), 

Now, suppose Bob finds the signature (2219, 458) has been forged on the message 4785. 

(a) Prove that this forgery satisfies the verification condition, so it is a valid signature. 

(b) Show how Bob will compute the proof of forgery, a , given this forged signature. 
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Chapter 7 
Hash Functions 

7.1 Signatures and Hash Functions 

The reader might have noticed that the signature schemes described in Chapter 6 allow only "small" 
messages to be signed. For example, when using the DSS, a 160-bit message is signed with a 320-bit 
signature. In general, we will want to sign much longer messages. A legal document, for example, might 
be many megabytes in size. 

A naive attempt to solve this problem would be to break a long message into 160-bit chunks, and then to 
sign each chunk independently. This is analogous to encrypting a long string of plaintext by encrypting 
each plaintext character independently using the same key (e.g., ECB mode in the DES). 

But there are several problems with this approach in creating digital signatures. First of all, for a long 
message, we will end up with an enormous signature (twice as long as the original message in the case 
of the DSS). Another disadvantage is that most "secure" signature schemes are slow since they typically 
use complicated arithmetic operations such as modular exponentiation. But an even more serious 
problem with this approach is that the various chunks of a signed message could be rearranged, or some 
of them removed, and the resulting message would still be verified. We need to protect the integrity of 
the entire message, and this cannot be accomplished by independently signing little pieces of it. 

The solution to all of these problems is to use a very fast public cryptographic hash function, which will 
take a message of arbitrary length and produce a message digest of a specified size (160 bits if the DSS 
is to be used). The message digest will then be signed. For the DSS, the use of a hash function h is 
depicted diagramatically in Figure 7.1 

When Bob wants to sign a message x, he first constructs the message digest z = h(x), and then computes 
the signature y = sigJz). He transmits the ordered pair (x, y) over the channel. Now the verification can 

be performed (by anyone) by first reconstructing the message digest z = h(x) using the public hash 
function h, and then checking that verjz, y) = true. 

K 
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Figure 7.1 Signing a message digest 

7.2 Collision-free Hash Functions 

We have to be careful that the use of a hash function h does not weaken the security of the signature 
scheme, for it is the message digest that is signed, not the message. It will be necessary for h to satisfy 
certain properties in order to prevent various forgeries. 

The most obvious type of attack is for an opponent, Oscar, to start with a valid signed message (x, y), 
where y = sig (h(x)). (The pair (x, y) could be any message previously signed by Bob.) Then he 

computes z = h(x) and attempts to find x x such that h(x) = h(x). If Oscar can do this, (x, y) would be 
a valid signed message, i.e., a. forgery. In order to prevent this type of attack, we require that h satisfy the 
following collision-free property: 

DEFINITION 7.1 Let xbe a message. A hash function h is weakly collision-free for x if it is 
computationally infeasible to find a message x ^ x such that h{x) = h{x). 

Another possible attack is the following: Oscar first finds two messages x^x such that h(x) = h(x'). 
Oscar then gives x to Bob and persuades him to sign the message digest h(x), obtaining y. Then (x, y) is 
a valid forgery. 

This motivates a different collision-free property: 

DEFINITION 7.2 A hash function h is strongly collision-free if it is computationally infeasible to find 
messages x and x such that x ^ x and h{x) = h{x). 

Observe that a hash function h is strongly collision-free if and only if it in computationally infeasible to 
find a message x such that h is not weakly collision-free for x. 

Here is a third variety of attack. As we mentioned in Section 6.2, it is often possible with certain 
signature schemes to forge signatures on random message digests z. Suppose Oscar computes a signature 
on such a random z, and then he finds a message x such that z = h(x). If he can do this, then (x, y) is a 
valid forgery. To prevent this attack, we desire that h satisfy the same one-way property that was 
mentioned previously in the context of public-key cryptosy stems and the Lamport Signature Scheme: 

DEFINITION 7.3 A hash function h is one-way if given a message digest z, it is computationally 
infeasible to find a message x such that h{x) = z. 
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We are now going to prove that the strongly collision-free property implies the one-way property. This 
is done by proving the contrapositive statement. More specifically, we will prove that an arbitrary 
inversion algorithm for a hash function can be used as an oracle in a Las Vegas probabilistic algorithm 
that finds collisions. 

This reduction can be accomplished with a fairly weak assumption on the relative sizes of the domain 
and range of the hash function. We will assume for the time being that the hash function h :X^> Z, 
where X and Z are finite sets and \X\ > 2IZI. This is a reasonable assumption: If we think of an element of 
X as being encoded as a bitstring of length log 2 \X\ and an element of Z as being encoded as a bitstring of 

length log 2 IZI, then the message digest z = h(x) is at least one bit shorter than the message x. 

(Eventually, we will be interested in the situation where the message domain X is infinite, since we want 
to be able to deal with messages of arbitrary length. Our argument also applies in this situation.) 

We are assuming that we have an inversion algorithm for h. That is, we have an algorithm A which 
accepts as input a message digest z e Z, and finds an element A(z) e X such that h(A(z)) = z. 

We prove the following theorem. 
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THEOREM 7.1 

Suppose h : X ->■ Z is a hash function where \X\ and IZI are finite and \X\ > 2\Z\. Suppose A is an inversion 
algorithm for h. Then there exists a probabilistic Las Vegas algorithm which finds a collision for h with 
probability at least 1/2. 

PROOF Consider the algorithm B presented in Figure 7.2. Clearly B is a probabilistic algorithm of the 
Las Vegas type, since it either finds a collision or returns no answer. Thus our main task is to compute 
the probability of success. For any x e X, define x ~ x if h(x) = h(x ). It is easy to see that ~ is an 

equivalence relation. Define 

Each equivalence class [x] consists of the inverse image of an element of Z, so the number of 
equivalence classes is at most IZI. Denote the set of equivalence classes by C. 

Now, suppose x is the element of X chosen in step 1. For this x, there are \[x] \ possible jc 's that could be 

returned in step 3. 1[x]l - 1 of these jc 's are different from x and thus lead to success in step 4. (Note that 

the algorithm A does not know the representative of the equivalence class [x] that was chosen in step 1.) 
So, given a particular choice x e X, the probability of success is (l[x]l - 1)/I[jc]I. 



Figure 7.2 Using an inversion algorithm A to find collisions for a hash function h 

The probability of success of the algorithm B is computed by averaging over all possible choices for x: 
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Hence we have constructed a Las Vegas algorithm with success probability at least 1/2. 

Hence, it is sufficient that a hash function satisfy the strongly collision-free property, since it implies the 
other two properties. So in the remainder of this chapter we restrict our attention to strongly collision- 
free hash functions. 



In this section, we determine a necessary security condition for hash functions that depends only on the 
cardinality of the set Z (equivalently, on the size of the message digest). This necessary condition results 
from a simple method of finding collisions which is informally known as the birthday attack. This 
terminology arises from the so-called birthday paradox, which says that in a group of 23 random people, 
at least two will share a birthday with probability at least 1/2. (Of course this is not a paradox, but it is 
probably counter-intuitive). The reason for the terminology "birthday attack" will become clear as we 
progress. 

As before, let us suppose that h : X -► Z is a hash function, X and Z are finite, and \X\ > 2IZI. Denote IXI = 
m and IZI = n. It is not hard to see that there are at least n collisions — the question is how to find them. 
A very naive approach is to choose k random distinct elements x^.-.^x e X, compute z. = /*(*.), I <i<k, 

and then determine if a collision has taken place (by sorting the z.'s, for example). 

This process is analogous to throwing k balls randomly into n bins and then checking to see if some bin 
contains at least two balls. (The k balls correspond to the k random jc.'s, and the n bins correspond to the 

n possible elements of Z.) 



7.3 The Birthday Attack 
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We will compute a lower bound on the probability of finding a collision by this method. This lower 
bound will depend on k and n, but not on m. Since we are interested in a lower bound on the collision 

probability, we will make the assumption that I'* 1 ( £ JI * m / n for all z e Z. (This is a reasonable 
assumption: if the inverse images are not approximately equal, then the probability of finding a collision 
will increase.) 

Since the inverse images are all (roughly) the same size and the jc.'s are chosen at random, the resulting 
z .' s can be thought of as random (not necessarily distinct) elements of Z. But it is a simple matter to 
compute the probability that k random elements z ,...,z e Z are distinct. Consider the z.'s in the order 
z ; ,...,z . The first choice z l is arbitrary; the probability that z 2 ^ z { is 1 - lln; the probability that z 3 is 
distinct from zl and z 2 is 1 - 2/n, etc. 

Hence, we estimate the probability of no collisions to be 

H)H)-P^)-n'H)- 

If x is a small real number, then 1 — X 6 x . This estimate is derived by taking the first two terms 
of the series expansion 

e 2J 3! " ' " 

Then our estimated probability of no collisions is 

fc-1 , . s k-l 



= e ^ 



e 3» 

So we estimate the probability of at least one collision to be 

1- C — fe-^. 

If we denote this probability by e , then we can solve for k as a function of n and e . 
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C an ffi 1 — £ 

— ^ « Hi - «) 



1 -e 

If we ignore the term -k, then we estimate 



*=5 

If we take e = .5, then our estimate is 



k & 1 17v^* 



So this says that hashing just over V^* random elements of X yields a collision with a probability of 
50%. Note that a different choice of e leads to a different constant factor, but k will still be proportional 

to v^- 



If Xis the set of all human beings, Y is the set of 365 days in a non-leap year (i.e., excluding February 
29), and h(x) denotes the birthday of person x, then we are dealing with the birthday paradox. Taking n = 
365 in our estimate, we get k « 22<3. Hence, as mentioned earlier, there will be at least one duplicated 
birthday among 23 random people with probability at least 1/2. 
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This birthday attack imposes a lower bound on the sizes of message digests. A 40-bit message digest 

20 

would be very insecure, since a collision could be found with probability 1/2 with just over 2 (about a 
million) random hashes. It is usually suggested that the minimum acceptable size of a message digest is 

128 bits (the birthday attack will require over 2 64 hashes in this case). The choice of a 160-bit message 
digest for use in the DSS was undoubtedly motivated by these considerations. 




Figure 7.3 Chaum-van Heijst-Pfitzmann Hash Function 

7.4 A Discrete Log Hash Function 

In this section, we describe a hash function, due to Chaum, van Heijst, and Pfitzmann, that will be secure 
provided a particular discrete logarithm cannot be computed. This hash function is not fast enough to be 
of practical use, but it is conceptually simple and provides a nice example of a hash function that can be 
proved secure under a reasonable computational assumption. The Chaum-van Heijst-Pfitzmann Hash 
Function is presented in Figure 7.3. We now prove a theorem concerning the security of this hash 
function. 

THEOREM 7.2 

Given one collision for the Chaum-van Heijst-Pfitzmann Hash Function h, the discrete logarithm 
log^ (3 can be computed efficiently. 

PROOF Suppose we are given a collision 

h(x u x 2 ) = h{x 3 ,x 4 ) y 

where (x^ x 2 ) ^ (x^, x 4 ). So we have the following congruence: 
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a xip*i = a x *8 x * (mod p), 

or 

Denote 

d = gcd(^4 - x 2i p — 1). 

Since p - 1 = 2q and g is prime, it must be the case that d e { l,2,q,p - 1 }. Hence, we have four 
possibilities for d, which we will consider in turn. 

First, suppose that d = 1 . Then let 

y — (X4 — a^) -1 m od (p — I)- 

We have that 

0 = 0<««-*»)v { mo d p j 
- 0 (*i-**)» (mod p), 

so we can compute the discrete logarithm log^ P as follows: 

logo A = ( x i - " SFj)" 1 mod (p - 1). 

Next, suppose that d = 2. Since p - 1 = 2q where q is odd, we must have gcd(^ 4 - x , q) = I. Let 

y — (xa - Xz)~ l mod q. 

Now 

{x 4 - x 2 )y - kg -\- I 

for some integer k, so we have 
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= (-l) k p (mod p) 
= ±0 (mod p), 

since 

^ = -1 (mod p). 

So we have 

= ±/3 (mod p). 

It follows that 

lo g« ^ = (an - x z )y mod (p - 1) 

or 

loga 0 = (an - x 3 )y + 9 mod (p - 1), 

We can easily test which of these two possibilities is the correct one. Hence, as in the case d = 1, we 
have calculated the discrete logarithm log^ (3. 

The next possibility is that d = q. But 

0 < x 2 < q - 1 

and 

so 
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-(? - 1) < Xi - x 2 < q - I. 

So it is impossible that gcd(x^ - x^p - 1) = q; in other words, this case does not arise. 
The final possibility is that d = p - 1. This happens only if x^ = x . But then we have 

a 11 /?* 2 =a X3 0 x * (mod p), 

so 

a* 1 = a 13 (mod p), 

and x 1 = x . Thus (jc 2 , jc 2 ) = (jc , x^, a contradiction. So this case is not possible, either. 

Since we have considered all possible values for d, we conclude that the hash function h is strongly 
collision-free provided that it is infeasible to compute the discrete logarithm log^ (3 in ^P. 

We illustrate the result of the above theorem with an example. 
Example 7.1 

Suppose p = 12347 (so q = 6173), a = 2 and (3 = 8461. Suppose we are given the collision 

Q 5692 j3 144 _ a 3H^t»l* (mod 12347) 

Thus x l = 5692, x 2 = 144, * = 212 and x^ = 4214. Now, gcd (x 4 - x 2 , p -1) = 2, so we begin by computing 

y — (14 - Xi)~ y mod q 
= (4214- 144)" 1 mod 6173 
= 4312. 

Next, we compute 
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y' - (zi - x 3 )y mod (p - 1) 
= (5692 - 212)4312 mod 12346 
= 11862. 

Now it is the case that log^ (3 g {y, y + q mod (p - 1)}. Since 

a*' mod p = 2 11862 mod 12346 = 9998, 

we conclude that 

toga P = y' + Q mod (p - 1) 

= 11862 + 6173 mod 12346 
= 5689. 

As a check, we can verify that 

2 56S * = 8461 (mod 12347). 

Hence, we have determined log B. 

7.5 Extending Hash Functions 

So far, we have considered hash functions with a finite domain. We now study how a strongly collision- 
free hash function with a finite domain can be extended to a strongly collision-free hash function with an 
infinite domain. This will enable us to sign messages of arbitrary length. 

Suppose h : ) ^ (^2) is a strongly collision-free hash function, where m>t+ 1. We will use h 
to construct a strongly collision-free hash function h* : ^ ~ * (^) , where 

00 
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We first consider the situation where m > t + 2. 

We will think of elements of X as bit-strings. \x\ denotes the length of x (i.e., the number of bits in x), and 
x\\y denotes the concatenation of the bit-strings x and y. Suppose \x\=n> m. We can express x as the 
concatenation 



X = X\ Xi 



where 



X X \ = \X 2 



x k -i \ — m- t- 1 



and 



x k \ = m - t — I — d, 



where 0<d<m-t-2. Hence, we have that 



k = 



n 



m-t - 1 



We define h* (x) by the algorithm presented in Figure 7.4. 



■lO.HJp.. 



Figure 7.4 Extending a hash function h to h* (m > t + 2) 



Denote 



y(x) = yi || y 2 



Vk+l 



Observe that y k is formed from x k by padding on the right with d zeroes, so that all the blocks y. (1 < i < 
k) are of length m-t - 1. Also, in step 3, y k+l should be padded on the left with zeroes so that \y I = m - 
t-l. 



In order to hash x, we first construct y(x), and then "process" the blocks y , y 2 »— .J, 2 in a particular 
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fashion. It is important that y(x) ^ y(x) whenever x ^ x. In fact, y^ +1 is defined in such a way that the 
mapping will be an injection. 

The following theorem proves that h* is secure provided that h is secure. 
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THEOREM 7.3 



Suppose h : is a strongly collision-free hash function, where m>t + 2. Then the 

function h* : , as constructed in Figure 7.4, is a strongly collision-free hash 

function. 

PROOF Suppose that we can find x ^ x such that h*(x) = h*(x). Given such a pair, we will show how 
we can find a collision for h in polynomial time. Since h is assumed to be strongly collision-free, we will 
obtain a contradiction, and thus h* will be proved to be strongly collision-free. 



Denote 



y{x) = yi II 2/2 



and 



where x and x are padded with d and J' 0's, respectively, in step 2. Denote the values computed in steps 
4 and 5 by g ,...,^ and f i » r r ' 1 ^(+ 1, respectively. 

We identify two cases, depending on whether or not Ixl = \x'\ (mod m-t-l). 



case 



' I (mod m-t-l). 



Here d * d' and f *+ ! ^ f 1+1. We have 
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h i9k II i\\yu+\) = 9k+i 

= h*(x) 
= h*{x f ) 

= h(9 i t || 1|| y* M ) t 

which is a collision for h since 1 ^ & t + 1. 
case 2: bcl = \x \ (mod m - r - 1). 
It is convenient to split this into two subcases: 
case 2a: \x\ = \x\. 

Here we have h = £ and ^ k + l ~ f ft+l. We begin as in case 1: 

Mtf* II 1 II V*+i) = £te+i 

= A*<*) 

= * V) 

= 9h+i 

= h(g' k || 1 11 

IfSft F 5jfc,then we find a collision for /z, so assume ffft - #*.Then we have 

Ms*-i II 1 1! = 9k 

= 9k 

= MsU II i II J/*)- 

Either we find a collision for h, or - 1 and V*: l/jt. Assuming we do not find a 
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collision, we continue working backwards, until finally we obtain 



M0 t+1 1| yi) = 9i 

= A 

= M0 m II y[). 

If J" ^ fi,then we find a collision for h, so we assume f J "™ Vi. But then — Pi for 1 < i < 

k + 1, so y(x) = y(%')- But this implies x = x since the mapping ^ ft 3 ' ) is an injection. Since 
we assumed x ^ x', we have a contradiction. 



Figure 7.5 Extending a hash function h to /** (m = t + 1) 



case 2b: bd ^ bel. 



Without loss of generality, assume \x'\ > \x\, so c . This case proceeds in a similar fashion 

as case 2a. Assuming we find no collisions for h, we eventually reach the situation where 

h(0 t+l \\ yi ) = 0i 

— J 

— 9t-k+\ 

= MaU II Ml yU+i)- 

But the (f + l)st bit of II y is a 0 and the (? + l)st bit of H 1 II Pf-ls+1 is a 1. So we 

find a collision for /i. 



Since we have considered all possible cases, we have the desired conclusion. 



The construction of Figure 7.4 can be used only when m > t + 2. Let's now look at the situation where m 
= t + 1. We need to use a different construction for h*. As before, suppose \x\ =n> m. We first encode x 
in a special way. This will be done using the function /defined as follows: 
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/CO) = o 

/(l) = 01. 

The algorithm to construct /z* (x) is presented in Figure 7.5. 

The encoding * defined in step 1, satisfies two important properties: 

1. If x^x, then y(x) * y(x) (i.e., x V( x ) is an injection). 

2. There do not exist two strings x ^ x and a string z such that y(x) = z II yOO- (I n other words, no 
encoding is a postfix of another encoding. This is easily seen because each string y(x) begins with 
11, and there do not exist two consecutive l's in the remainder of the string.) 

THEOREM 7.4 

Suppose h : is a strongly collision-free hash function. Then the function h* : 

, as constructed in Figure 7.5, is a strongly collision-free hash function. 

PROOF Suppose that we can find x ^ x such that h* (x) = h* {x). Denote 



and 



y{x') = Viv'z ■■■y'f 



We consider two cases, 
case 1: k — £. 

As in Theorem 7.3, either we find a collision for h, or we obtain y = y . But this implies x = x, a 
contradiction. 



case 



Without loss of generality, assume t > fc.This case proceeds in a similar fashion. Assuming 
we find no collisions for h, we have the following sequence of equalities: 
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Vk - vi 



Vi ~ y't-k+i- 

But this contradicts the "postfix-free" property stated above. 
We conclude that h* is collision-free. 

We summarize the two constructions of in this section, and the number of applications of h needed to 
compute h*, in the following theorem. 

THEOREM 7.5 

Suppose h : is a strongly collision-free hash function, where m>t+ 1. 77ie« ?/iere 

exists a strongly collision-free hash function 

oo 



r/ze number of times h is computed in the evaluation ofh* is at most 



2« + 2 */m = i + 1, 



where \x\ = n. 

7.6 Hash Functions from Cryptosystems 

So far, the methods we have described lead to hash functions that are probably too slow to be useful in 
practice. Another approach is to use an existing private-key cryptosystem to construct a hash function. 

Let us suppose that C^i C,fC,Sj 1?) j s a computationally secure cryptosystem. For convenience, let us 

assume also that ^ — C — )C — (^2) . Here we should have n> 128, say, in order to prevent 
birthday attacks. This precludes using DES (as does the fact that the key length of DES is different from 
the plaintext length). 
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Suppose we are given a bitstring 

X = Xi \\ x 2 || . || Xfc, 

where ^ i ^ ) * ^ — * — ^. (If the number of bits in x is not a multiple of «, then it will be 
necessary to pad x in some way, such as was done in Section 7.5. For simplicity, we will ignore this 
now.) 

The basic idea is to begin with a fixed "initial value" g Q = IV, and then construct g^.^g in order by a 
rule of the form 

9i = f(xi,gi-i), 

where/is a function that incorporates the encryption function of our cryptosystem. Finally, define the 
message digest h(x) = g . 
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Several hash functions of this type have been proposed, and many of them have been shown to be 
insecure (independent of whether or not the underlying cryptosystem is secure). However, four 
variations of this theme that appear to be secure are as follows: 



9i 


= e 9<- 


i (xi ) © X{ 




9i 


= e w _ 




9i-\ 


9i 


= e*. 


x (x t ©ffi-i) 


© Xi 


9i 


= e*_ 


x (xi Bgi-i) 





Figure 7.6 Constructing M in MD4 

7.7 The MD4 Hash Function 

The MD4 Hash Function was proposed in 1990 by Rivest, and a strengthened version, called MD5, 
was presented in 1991. The Secure Hash Standard (or SHS) is more complicated, but it is based on the 
same underlying methods. It was published in the Federal Register on January 31, 1992, and adopted as 
a standard on May 11, 1993. (A proposed revision was put forward on July 11, 1994, to correct a 
"technical flaw" in the SHS.) All of the above hash functions are very fast, so they are practical for 
signing very long messages. 

In this section, we will describe MD4 in detail, and discuss some of the modifications that are employed 
in MD5 and the SHS. 

Given a bitstring x, we will first produce an array 
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M = M[0}M[l}..,M[N - 1], 

where each M[i] is a bitstring of length 32 and N = 0 mod 16. We will call each M[i] a word. M is 
constructed from x using the algorithm presented in Figure 7.6. 



In the construction of M, we append a single 1 to x, then we concatenate enough O's so that the length 
becomes congruent to 448 modulo 512, and finally we concatenate 64 bits that contain the binary 

representation of the (original) length of x (reduced modulo 2 4 , if necessary). The resulting string M has 
length divisible by 512. So when we break M up into 32-bit words, the resulting number of words, 
denoted by N, will be divisible by 16. 



Now we proceed to construct a 128-bit message digest. A high-level description of the algorithm is 
presented in Figure 7.7. The message digest is constructed as the concatenation of the four words A, B, C 
and D, which we refer to as registers. The four registers are initialized in step 1. Now we process the 
array M 16 words at a time. In each iteration of the loop in step 2, we first take the "next" 16 words of M 
and store them in an array X (step 3). The values of the four registers are then stored (step 4). Then we 
perform three "rounds" of hashing. Each round consists of one operation on each of the 16 words in X 
(we will describe these operations in more detail shortly). The operations done in the three rounds 
produce new values in the four registers. Finally, the four registers are updated in step 8 by adding back 
the values that were stored in step 4. This addition is defined to be addition of positive integers, reduced 

modulo 2 32 . 




Figure 7.7 The MD4 hash function 



The three rounds in MD4 are different (unlike DES, say, where the 16 rounds are identical). We first 
describe several different operations that are employed in these three rounds. In the following 
description, X and Y denote input words, and each operation produces a word as output. Here are the 
operations employed: 



X AY bil wj se "and" of X and Y 

XVY bitwise "or" of X and Y 

X®Y bitwise "xor" of X and Y 

->X bi iwise complement of X 

X + Y integer addition modulo 2 3? 

X s circular left shift of X by a positions {0 < s < 31 ) 
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Note that all of these operations are very fast, and the only arithmetic operation that is used is addition 

32 

modulo 2 . If MD4 is actually implemented, it will be necessary to take into account the underlying 
architecture of the computer it is run on in order to perform addition correctly. Suppose a^a^L^a^ are the 

four bytes in a word. We think of each a. as being an integer in the range 0,...,255, represented in binary. 

In a big-endian architecture (such as a Sun SPARCstation), this word represents the integer 

aj2 24 +a 2 2 16 + a 3 2 3 +a 4 . 

In a little-endian architecture (such as the Intel 80xxx line), this word represents the integer 

a A 2 2A +a s 2 16 + a 2 2 s + 01. 

MD4 assumes a little-endian architecture. It is important that the message digest is independent of the 
underlying architecture. So if we wish to run MD4 on a big-endian computer, it will be necessary to 
perform the addition operation X + Y as follows: 

1. Interchange jc and x „; jc„ and jc „; v and y „; and y„ and y . 

to j 4 ' 2 3 J l J A J 2 J 3 

2. Compute Z = X + Y mod 2 32 

3. Interchange z x and z 4 ; and z 2 and z . 

Rounds 1, 2, and 3 of MD4 respectively use three functions/, g and h. Each off, g and h is a bitwise 
boolean function that takes three words as input and produces a word as output. They are defined as 
follows: 

f{X,Y y Z) = (XAY)V(^X)AZ} 
g(X,Y,Z) = (X A Y) V (X A Z) V (Y A Z) 
h{X, Y,Z) = XeY® Z. 

The complete description of Rounds 1, 2 and 3 of MD4 are presented in Figures 7.8-7.10. 

MD4 was designed to be very fast, and indeed, software implementations on Sun SPARCstations attain 
speeds of 1.4 Mbytes/sec. On the other hand, it is difficult to say something concrete about the security 
of a hash function such as MD4 since it is not "based" on a well-studied problem such as factoring or 
the Discrete Log problem. So, as is the case with DES, confidence in the security of the system can only 
be attained over time, as the system is studied and (one hopes) not found to be insecure. 
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Figure 7.8 Round 1 of MD4 



Although MD4 has not been broken, weakened versions that omit either the first or the third round can 
be broken without much difficulty. That is, it is easy to find collisions for these two-round versions of 
MD4. A strengthened version of MD4, called MD5, was proposed in 1991. MD5 uses four rounds 
instead of three, and runs about 30% slower than MD4 (about .9 Mbytes/sec on a SPARCstation). 
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The Secure Hash Standard is yet more complicated, and slower (about .2 Mbytes/sec on a 
SPARCstation). We will not give a complete description, but we will indicate a few of the modifications 
employed in the SHS. 

1. SHS is designed to run on a big-endian architecture, rather than a little-endian architecture. 

2. SHS produces a 5-register (160-bit) message digest. 



■ ■ J.. i n - i p i i u- ib ■ i 

■ r . >. r l XI . L I .Ml' IB L 

i ■ . >r. ■- ■> ■ r.| . iui-bh .me n 
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■ 1 l-^-TuJ LP ■ I ■; ■ ■¥JT*t-*P 
n li-liifJbiirqi;iUniLv.4 

Figure 7.9 Round 2 of MD4 

3. SHS processes the message 16 words at a time, as does MD4. However, the 16 words are first 
"expanded" into 80 words. Then a sequence of 80 operations is performed, one on each word. 

The following "expansion function" is used. Given the 16 words X[0],..., X[15], we compute 64 more 
words by the recurrence relation 

X[j] = X[j - 3] © X[j -8] CD X[j - 14] 0 X[j - 16J t 16 < j < 79. (7. 1) 

The result of Equation 7.1 is that each of the words X[16],..., X[19] is formed as the exclusive-or of a 
predetermined subset of the words Z[0],...,Z[15]. 

For example, we have 
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J£[1G] = X[Q] m X[2] 0 A [8] © X[13] 

X[17] = X[1]B X[3] © Jf [91 0 A' [14] 

X[lB] ^ X[2]e A"[4]S A[10]ffi A[15] 

X[19] = X[Q] © A-p] eX[3j © A [5] 9 AT[S] © A[ll] eX[13] 
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Figure 7.10 Round 3 of MD4 

X[79] = X[l] © AT [4] 0 X[5] e X[8] © X[9] 0 A: [12] © Jf[13]. 

The proposed revision of the SHS concerns the expansion function. It is proposed that Equation 7.1 be 
replaced by the following: 

X\j] = (Xti-Z]®Xti-%)®Xlj-U}(BX{j-W})<g: l s 16 < j < 79. (7.2) 

As before, the operation " means a circular left shift of one position. 

7.8 Timestamping 

One difficulty with signature schemes is that a signing algorithm may be compromised. For example, 
suppose that Oscar is able to determine Bob's secret exponent a in the DSS. Then, of course, Oscar can 
forge Bob's signature on any message he likes. But another (perhaps even more serious) problem is that 
the compromise of a signing algorithm calls in to question the authenticity of all messages signed by 
Bob, including those he signed before Oscar stole the signing algorithm. 



Figure 7.11 Timestamping a signature on a message x 



Here is yet another undesirable situation that could arise: Suppose Bob signs a message and later wishes 
to disavow it. Bob might publish his signing algorithm and then claim that his signature on the message 
in question is a forgery. 

The reason these types of events can occur is that there is no way to determine when a message was 
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signed. This suggests that we consider ways of timestamping a (signed) message. A timestamp should 
provide proof that a message was signed at a particular time. Then, if Bob's signing algorithm is 
compromised, it would not invalidate any signatures he made previously. This is similar conceptually to 
the way credit cards work: if someone loses a credit card and notifies the bank that isssued it, it becomes 
invalid. But purchases made prior to the loss of the card are not affected. 

In this section, we will describe a few methods of timestamping. First, we observe that Bob can produce 
a convincing timestamp on his own. First, Bob obtains some "current" publicly available information 
which could not have been predicted before it happened. For example, such information might consist of 
all the major league baseball scores from the previous day, or the values of all the stocks listed on the 
New York Stock Exchange. Denote this information by pub. 

Now, suppose Bob wants to timestamp his signature on a message x. We assume that h is a publicly 
known hash function. Bob will proceed according to the algorithm presented in Figure 7.11. Here is how 
the scheme works: The presence of the information pub means that Bob could not have produced y 
before the date in question. And the fact that y is published in the next day's newspaper proves that Bob 
did not compute y after the date in question. So Bob's signature y is bounded within a period of one day. 
Also observe that Bob does not reveal the message x in this scheme since only z is published. If 
necessary, Bob can prove that x was the message he signed and timestamped simply by revealing it. 



I Pa hri bbblbi i", p ■ 4, ^ n iu, 
i la I u ~r~ h L "_' 

Figure 7.12 Timestamping (z , y , ID ) 

n n „ 

It is also straightforward to produce timestamps if there is a trusted timestamping service available (i.e., 
an electronic notary public). Bob can compute z = h(x) and y = sigJz) and then send (z, y) to the 

timestamping service, or TSS. The TSS will then append the date D and sign the triple (z, y, D). This 
works perfectly well provided that the signing algorithm of the TSS remains secure and provided that 
the TSS cannot be bribed to backdate timestamps. (Note also that this method establishes only that Bob 
signed a message before a certain time. If Bob also wanted to establish that he signed it after a certain 
date, he could incorporate some public information pub as in the previous method.) 

If it is undesirable to trust the TSS unconditionally, the security can be increased by sequentially linking 
the messages that are timestamped. In such a scheme, Bob would send an ordered triple (z, y, ID(Bob)) 
to the TSS. Here z is the message digest of the message x; y is Bob's signature on z; and ID(Bob) is 
Bob's identifying information. The TSS will be timestamping a sequence of triples of this form. Denote 
by (z , y , ID ) the nth triple to be timestamped by the TSS, and let t n denote the time at which the nth 

n n n 

request is made. 

The TSS will timestamp the nth triple using the algorithm in Figure 7.12. The quantity L is "linking 
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information" that ties the nth request to the previous one. (L will be taken to be some predetermined 
dummy information to get the process started.) 

Now, if challenged, Bob can reveal his message x , and then y can be verified. Next, the signature s of 

n n n 

the TSS can be verified. If desired, then ID or ID , can be requested to produce their timestamps, (C 

n-l n+1 1 A A n- 

,,s ID ) and (C ,,s ID J, respectively. The signatures of the TSS can be checked in these 

1 n-l n' v n+1 n+1 n+T f J b 

timestamps. Of course, this process can be continued as far as desired, backwards and/or forwards. 
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7.9 Notes and References 

The discrete log hash function described in Section 7.4 is due to Chaum, van Heijst, and Pfitzmann 
[CvHP92] . A hash function that can be proved secure provided that a composite integer n cannot be 
factored is given by Gibson [GIB91] (see Exercise 7.4 for a description of this scheme). 

The material on extending hash functions in Section 7.5 is based on Damgard [DA90]. Similar methods 
were discovered by Merkle [ME90]. 

For infomation concerning the construction of hash functions from private-key cryptosystems, see 
Preneel, Govaerts, and Vandewalle [PGV94]. 

The MD4 hashing algorithm was presented in Rivest [Rl91], and the Secure Hash Standard is 
described in [NBS93]. An attack against two of the three rounds of MD4 is given by den Boer and 
Bossalaers [DBB92]. Other recently proposed hash functions include Af-hash [MOI90] and Snefru 
[ME90A] . 

Timestamping is discussed in Haber and Stornetta [HS91] and Bayer, Haber, and Stornetta [BHS93]. 
A thorough survey of hashing techniques can be found in Preneel, Govaerts, and Vandewalle [PGV93]. 

Exercises 

7.1 Suppose h : X -► i^is a hash function. For any y e Y, let 
and denote s = \h' l (y)\. Define 

y v/ 

N = Kfn^s) : h{xi) = h{x 2 )}\r 
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Note that N counts the number of unordered pairs in X that collide under h. Answer the 
following: 

(a) Prove that 

ye v 

so the mean of the s 'sis 

y 




(b) Prove that 

(c) Prove that 

- 9? = 2JV + |X|- 

Figure 7.13 Hashing 4m bits to m bits 

(d) Using the result proved in part (c), prove that 

Further, show that equality is attained if and only if 
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for every y e Y. 

7.2 As in Exercise 7.1, suppose h : X ->• Fis a hash function, and let 

= : h(x) - y} 

for any y e Y. Let e denote the probability that h(x ) = h(x 2 ), where x and x 2 are random (not 
necessarily distinct) elements of X. Prove that 



|1T 



with equality if and only if 



for every ye 7. 

7.3 Suppose p = 15083, cx = 154 and (3 = 2307 in the Chaum-van Heijst-Pfitzmann Hash 
Function. Given the collision 

aMsi^iM = a iw^w (mod p)> 

compute log^ (3. 

7.4 Suppose « = pq, where p and q are two (secret) distinct large primes such that p = 2p + 1 
and q = 2q x + 1, where p and g are prime. Suppose that cx is an element of order 2p q in 

.... , , . , , , n ). Define a hash function h : {l,...,n } -► &*n by 

X 

the rule h(x) = a mod «. 

Now, suppose that n = 603241 and cx = 1 1 are used to define a hash function h of this type. 
Suppose that we are given three collisions for h: /i(1294755) = h(S01 15359) = /*(52738737). Use 
this information to factor n. 

7.5 Suppose h : (Si) is a strongly collision-free hash function. 
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(a) Define h : —I C^rt) as m Figure 7.13. Prove that h is strongly collision- 
free. 

(b) For an integer i > 2, define a hash function h : i^?) 7 ™ ~* (Sj)™' recursively from h - 

i i 

1, as indicated in Figure 7.14. Prove that h is strongly collision-free. 

7.6 Using the (original) expansion function of the SHS, Equation 7.1, express each of X[16],..., X 
[79] in terms of X[0],..., X[15]. Now, for each pair X[i], X\j], 

I. ... ■ 1,. u... . . r. - ■ 

Figure 7.14 Hashing 2' m bits to m bits 

where 1 <i <j < 15, use a computer program to determine X , which denotes the number of X 

ij 

[&]'s (16 < k < 79) such that X[i] and X\j] both occur in the expression for X[k]. What is the range 

of values X ? 

y 
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Chapter 8 

Key Distribution and Key Agreement 

8.1 Introduction 

We have observed that public-key systems have the advantage over private-key systems that a secure 
channel is not needed to exchange a secret key. But, unfortunately, most public -key systems are much 
slower than private-key systems such as DES, for example. So, in practice, private-key systems are 
usually used to encrypt "long" messages. But then we come back to the problem of exchanging secret 
keys. 

In this chapter, we discuss several approaches to the problem of establishing secret keys. We will 
distinguish between key distribution and key agreement. Key distribution is defined to be a mechanism 
whereby one party chooses a secret key and then transmits it to another party or parties. Key agreement 
denotes a protocol whereby two (or more) parties jointly establish a secret key by communicating over a 
public channel. In a key agreement scheme, the value of the key is determined as a function of inputs 
provided by both parties. 

As our setting, we have an insecure network of n users. In some of our schemes, we will have a trusted 
authority (denoted by TA) that is reponsible for such things as verifying the identities of users, choosing 
and transmitting keys to users, etc. 

Since the network is insecure, we need to protect against potential opponents. Our opponent, Oscar, 
might be a passive adversary, which means that his actions are restricted to eavesdropping on messages 
that are transmitted over the channel. On the other hand, we might want to guard against the possibility 
that Oscar is an active adversary. An active adversary can do various types of nasty things such as the 
following: 

1. alter messages that he observes being transmitted over the network 

2. save messages for reuse at a later time 

3. attempt to masquerade as various users in the network. 
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The objective of an active adversary might be one of the following: 

1. to fool U and V into accepting an "invalid" key as valid (an invalid key could be an old key 
that has expired, or a key chosen by the adversary, to mention two possibilities) 

2. to make U or V believe that they have exchanged a key with other when they have not. 

The objective of a key distribution or key agreement protocol is that, at the end of the protocol, the two 
parties involved both have possession of the same key K, and the value of K is not known to any other 
party (except possibly the TA). Certainly it is much more difficult to design a protocol providing this 
type of security in the presence of an active adversary as opposed to a passive one. 

We first consider the idea of key predistribution in Section 8.2. For every pair of users {U, V}, the TA 
chooses a random key K = and transmits it "off-band" to U and V over a secure channel. (That 

is, the transmission of keys does not take place over the network, since the network is not secure.) This 
approach is unconditionally secure, but it requires a secure channel between the TA and every user in 
the network. But, of possibly even more significance is the fact that each user must store n - 1 keys, and 

PI 2 

the TA needs to transmit a total of w keys securely (this is sometimes called the "n problem"). Even 
for relatively small networks, this can become prohibitively expensive, and thus it is not really a 
practical solution. 

In Section 8.2.1, we discuss an interesting unconditionally secure key predistribution scheme, due to 
Blom, that allows a reduction in the amount of secret information to be stored by the users in the 
network. We also present in Section 8.2.2 a computationally secure key predistribution scheme based on 
the discrete logarithm problem. 

A more practical approach can be described as on-line key distribution by TA. In such a scheme, the TA 
acts as a key server. The TA shares a secret key K with every user U in the network. When U wishes to 

communicate with V, she requests a session key from the TA. The TA generates a session key K and 
sends it in encrypted form for U and V to decrypt. The well-known Kerberos system, which we 
describe in Section 8.3, is based on this approach. 

If it is impractical or undesirable to have an on-line TA, then a common approach is to use a key 
agreement protocol. In a key agreement protocol, U and V jointly choose a key by communicating over 
a public channel. This remarkable idea is due to Diffie and Hellman, and (independently) to Merkle. We 
describe a few of the more popular key agreement protocols. A variation of the original protocol of 
Diffie and Hellman, modified to protect against an active adversary, is presented in Section 8.4.1. Two 
other interesting protocols are also discussed: the MTI scheme is presented in Section 8.4.2 and the 
Girault scheme is covered in Section 8.4.3. 

8.2 Key Predistribution 
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In the basic method, the TA generates keys, and gives each key to a unique pair of users in a network 
of n users. As mentioned above, we require a secure channel between the TA and each user to transmit 
these keys. This is a significant improvement over each pair of users independently exchanging keys 

over a secure channel, since the number of secure channels required has been reduced from w to n. But 
if n is large, this solution is not very practical, both in terms of the amount of information to be 
transmitted securely, and in the amount of information that each user must store securely (namely, the 
secret keys of the other other n - 1 users). 

Thus, it is of interest to try to reduce the amount of information that needs to be transmitted and stored, 
while still allowing each pair of users U and V to be able to (independently) compute a secret key K . 

An elegant scheme to accomplish this, called the Blom Key Predistribution Scheme, is discussed in 
the next subsection. 
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8.2.1 Blom's Scheme 

As above, we suppose that we have a network of n users. For convenience, we suppose that keys are 

chosen from a finite field P, where p>nis prime. Let k be an integer, 1 >k>n- 2. The value k is the 
largest size coalition against which the scheme will remain secure. In the Blom Scheme, the TA will 

IF 

transmit k + 1 elements of P to each user over a secure channel (as opposed to n - 1 in the basic key 
predistribution scheme). Each pair of users, U and V, will be able to compute a key K^^ = , as 

before. The security condition is as follows: any set of at most k users disjoint from {U, V} must be 
unable to determine any information about K (note that we are speaking here about unconditional 

U, V 

security). 

We first present the special case of Blom's scheme where k=l. Here, the TA will transmit two elements 

of P to each user over a secure channel, and any individual user W will be unable to determine any 
information about K if W U, V. Blom's scheme is presented in Figure 8. 1. We illustrate the Blom 

Scheme with k = 1 in the following example. 
Example 8. 1 

Suppose the three users are U, V and W, p = 17, and their public elements are r = 12, r v = 7 and r w = 
1. Suppose that the TA chooses a = 8, b = 1 and c = 2, so the polynomial/is 

f(x t y) = $ + 7{x + y) + 2xy. 

The g polynomials are as follows: 

gu (x) = 7 + 14x 
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Figure 8.1 Blom Key Distribution Scheme (k = 1) 

gy[x) = 6 4- Ax 
g^{x) — 15 + 9x. 

The three keys are thus 

^u,w = 4 

Kyyt = 10. 

U would compute K as 

5Tu(r v ) = 7 + 14 x 7 mod 17 = 3 

V would compute K as 

gv{r\3) = 6 + 4 x 12 mod 17 =* 3. 

We leave the computation of the other keys as an exercise for the reader. 

We now prove that no one user can determine any information about the key of two other users. 
THEOREM 8.1 

The Blom Scheme with k= 1 is unconditionally secure against any individual user. 
PROOF Let' s suppose that user W wants to try to compute the key 
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Ku,v = a + 6(ru + fv) + crury mod p> 



The values r and r y are public, but a, b and c are unknown. W does know the values 

aw ™ & + &nv mod p 

and 

&w = & + crw mod p 

since these are the coefficients of the polynomial gW (jc) that was sent to W by the TA. 

What we will do is show that the information known by W is consistent with any possible value ^ P 
of the key K . Hence, W cannot rule out any values for K . Consider the following matrix equation 

(in S P): 

1 r\} + ry run/ 
1 rw 0 
0 1 

The first equation represents the hypothesis that J * U,V the second and third equations contain 

the information that W knows about a, b and c from e (jc). 

w 

The determinant of the coefficient matrix is 

rw 2 + ryry - (r^ + r v )r w = (r w - 7"u)( r w - r v ) s 

where all arithmetic is done in ^P. Since r ^ r and r ^ r . it follows that the coefficient matrix has 

W U W V 

non-zero determinant, and hence the matrix equation has a unique solution for a, b, c. In other words, 
any possible value £ of K is consistent with the information known to W. 

On the other hand, a coalition of two users, say { W, X}, will be able to determine any key K where 

W and X together know that 
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&w = & + &*\v 

ax — ^ + frrx 
*x = b + crx . 

Thus they have four equations in three unknowns, and they can easily compute a unique solution for a, b 
and c. Once they know a, b and c, they can form the polynomial fix, y) and compute any key they wish. 

It is straightforward to generalize the scheme to remain secure against coalitions of size k. The only 
thing that changes is step 2. The TA will use a polynomial fix, y) having the form 

k k 

where a *. J e (0 < i < h t 0 < j < k) da =a f or all The remainder of the 
protocol is unchanged. 

8.2.2 Diffie-Hellman Key Predistribution 

In this section, we describe a key predistribution scheme that is a modification of the well-known Diffie- 
Hellman key exchange protocol that we will discuss a bit later, in Section 8.4. We call this the Diffie- 
Hellman Key Predistribution Scheme. The scheme is computationally secure provided a problem 
related to the Discrete Logarithm problem is intractible. 

We will describe the scheme over P, where p is prime, though it can be implemented in any finite 
group in which the Discrete Logarithm problem is intractible. We will assume that a is a primitive 

element of P, and that the values p and a are publicly known to everyone in the network. 

In this scheme, ID(U) will denote certain identification information for each user U in the network, e.g., 
his or her name, e-mail address, telephone number, or other relevant information. Also, each user U has 
a secret exponent a (where 0 < a < p - 2), and a corresponding public value 

bjj = a ft(J mod p. 

The TA will have a signature scheme with a (public) verification algorithm ver and a secret signing 
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algorithm sig . Finally, we will implicitly assume that all information is hashed, using a public hash 

function, before it is signed. To make the procedures easier to read, we will not include the necessary 
hashing in the description of the protocols. 

Certain information pertaining to a user U will be authenticated by means of a certificate which is issued 
and signed by the TA. Each user U will have a certificate 

C(U) = (ID(U),6u,«jfrA(ID(U),fru)), 

where b is formed as described above (note that the TA does not need to know the value of « u ). A 

certificate for a user U will be issued when U joins the network. Certificates can be stored in a public 
database, or each user can store his or her own certificate. The signature of the TA on a certificate allows 
anyone in the network to verify the information it contains. 

It is very easy for U and V to compute the common key 

#u,v = a fiuftv mod p, 

as shown in Figure 8.2. 
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We illustrate the algorithm with a small example. 
Example 8.2 

Suppose p = 25307 and oc = 2 are publicly known (p is prime and oc is a primitive root modulo p). 
Suppose U chooses a = 3578. Then she computes 

by = a ftu mod p 
= 2 3S ™ mod 25307 
^6113, 

which is placed on her certificate. Suppose V chooses = 19956. Then he computes 

by — a* v mod p 

= mod 25307 

= 7984, 




Figure 8.2 Diffie-Hellman Key Predistribution 
which is placed on his certificate. 
Now U can compute the key 
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K\j y = 6y au mod p 

= 79S4 3 * 7 * mod 25307 
3694, 

and V can compute the same key 

K\j r v = bu av modp 

= 61 13 19956 mod 25307 
= 3694, 

Let us think about the security of this scheme in the presence of a passive or active adversary. The 
signature of the TA on users' certificates effectively prevents W from altering any information on 
someone else's certificate. Hence we need only worry about passive attacks. So the pertinent question is: 

Can a user W compute if W U, V? In other words, given oc au mod p and oc av mod p (but not a 

aUaV 

nor a ), is it feasible to compute oc mod pi This problem is called the Diffie-Hellman problem, and 

it is formally defined (using an equivalent but slightly different presentation) in Figure 8.3. It is clear 
that Diffie-Hellman Key Predistribution is secure against a passive adversary if and only if the Diffie- 
Hellman problem is intractible. 

Figure 8.3 The Diffie-Hellman problem 

If W could determine a from b , or if he could determine from b^, then he could compute K 
exactly as U (or V) does. But both these computations are instances of the Discrete Log problem. So, 

provided that the Discrete Log problem in is intractible, Diffie-Hellman Key Predistribution is 

secure against this particular type of attack. However, it is an unproven conjecture that any algorithm 
that solves the Diffie-Hellman problem could also be used to solve the Discrete Log problem. (This is 
very similar to the situation with RSA, where it is conjectured, but not proved, that breaking RSA is 
poly normally equivalent to factoring.) 

By the remarks made above, the Diffie-Hellman problem is no more difficult than the Discrete Log 
problem. Although we cannot say precisely how difficult this problem is, we can relate its security to 
that of another cryptosystem we have already studied, namely the ElGamal Cryptosystem. 

THEOREM 8.2 
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Breaking the ElGamal Cryptosystem is equivalent to solving the Diffie-Hellman problem. 

PROOF First we recall how ElGamal encryption and decryption work. The key is K = (p, a, a, (3), 
where (3 = oc a mod p (a is secret and p, a, and (3 are public). For a (secret) random number * ^ ^*p- 1, 

where 

yi — a k mod p 

and 

y-2 - x0 k mod p. 

For ?! i Iftf € E p * s 

Suppose we have an algorithm A to solve the Diffie-Hellman problem, and we are given an ElGamal 
encryption (y , y ). We will apply the algorithm A with inputs p, a, y , and |3. Then, we obtain the value 

Afoot, y u 0) = A[p,a p ct fc } 0! a } 
= a ka mod p 
= /?* mod j?. 

Then, the decryption of(y , y ) can easily be computed as 

# = SfaW*)" 1 mod p. 

Conversely, suppose we have an algorithm B that performs ElGamal decryption. That is, B takes as 
inputs p, a, P, y , and y , and computes the quantity 

x - V2(yi l * & * p )~ 1 mod/?, 

Now, given inputs p, a, (3, and y for the Diffie-Hellman problem, it is easy to see that 
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as desired. 

8.3 Kerberos 

In the key predistribution methods we discussed in the previous section, each pair of users can compute 
one fixed key. If the same key is used for a long period of time, there is a danger that it might be 
compromised. Thus it is often preferable to use an on-line method in which a new session key is 
produced every time a pair of users want to communicate (this property is called key freshness). 

If on-line key distribution is used, there is no need for any network user to store keys to communicate 
with other users (each user will share a key with the TA, however). Session keys will be transmitted on 
request by the TA. It is the responsibility of the TA to ensure key freshness. 

Kerberos is a popular key serving system based on private-key cryptography. In this section, we give an 
overview of the protocol for issuing session keys in Kerberos. Each user U shares a secret DES key K 

with the TA. In the most recent version of Kerberos (version V), all messages to be transmitted are 
encrypted using cipher block chaining (CBC) mode, as described in Section 3.4.1. 




Figure 8.4 Transmission of a session key using Kerberos 

As in Section 8.2.2, ID(U) will denote public identification information for user U. When a request for a 
session key is sent to the TA, the TA will generate a new random session key K. Also, the TA will 
record the time at which the request is made as a timestamp, T, and specify the lifetime, L, during which 
K will be valid. That is, the session key K is to be regarded as a valid key from time T to time T + L. All 
this information is encrypted and transmitted to U and (eventually) to V. Before going into more details, 
we will present the protocol in Figure 8.4. 

The information transmitted in the protocol is illustrated in the following diagram: 
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„ u <jr,iD(V).r.£) TKmmfrn 

TA e Kv {K,mV),T,L) v e Kv (K r JD(VhT,L) ^ ^ 



We will now explain what is going on in the various steps of the protocol. Although we have no formal 
proof that Kerberos is "secure" against an active adversary, we can at least give some informal 
motivation of the features of the protocol. 
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As mentioned above, the TA generates K, T, and L in step 2. In step 3, this information, along with ID 
(V), is encrypted using the key K shared by U and the TA to form m^. Also, K, T, L, and ID(U) are 

encrypted using the key K v shared by V and the TA to form m^. Both these encrypted messages are sent 

to U. 

U can use her key to decrypt and thus obtain K, T, and L. She will verify that the current time is in 

the interval from T to T + L. She can also check that the session key K has been issued for her desired 
communicant V by verifying the information ID(V) decrypted from m^. 

Next, U will relay to V. As well, U will use the new session key K to encrypt T and ID (U) and send 
the resulting message to V. 

When V receives and from U, he decrypts to obtain T, K, L and ID(U). Then he uses the new 
session key K to decrypt and he verifies that T and ID(U), as decrypted from and m^, are the same. 
This ensures V that the session key encrypted within m 2 is the same key that was used to encrypt m^. 
Then V uses K to encrypt T+l, and sends the result back to U as message m . 

When U receives m , she decrypts it using K and verifies that the result is T + 1 . This ensures U that the 

session key K has been successfully transmitted to V, since K was needed in order to produce the 
message m. 

It is important to note the different functions of the messages transmitted in this protocol. The messages 
ra ( and are used to provide secrecy in the transmission of the session key K. On the other hand, 

and m 4 are used to provide key confirmation, that is, to enable U and V to convince each other that they 

possess the same session key K. In most key distribution schemes, (session) key confirmation can be 
included as a feature if it is not already present. Usually this is done in a similar fashion as it is done in 
Kerberos, namely by using the new session key K to encrypt known quantities. In Kerberos, U uses K 
to encrypt ID (U) and T, which are already encrypted in m . Similarly, V uses K to encrypt T+l. 
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The purpose of the timestamp T and lifetime L is to prevent an active adversary from storing "old" 
messages for retransmission at a later time (this is called a replay attack). This method works because 
keys are not accepted as valid once they have expired. 



Figure 8.5 Diffie-Hellman Key Exchange 

One of the drawbacks of Kerberos is that all the users in the network should have synchronized clocks, 
since the current time is used to determine if a given session key K is valid. In practice, it is very 
difficult to provide perfect synchronization, so some amount of variation in times must be allowed. 

8.4 Diffie-Hellman Key Exchange 

If we do not want to use an on-line key server, then we are forced to use a key agreement protocol to 
exchange secret keys. The first and best known key agreement protocol is Diffie-Hellman Key 

Exchange. We will assume that p is prime, oc is a primitive element of P, and that the values p and oc 
are publicly known. (Alternatively, they could be chosen by U and communicated to V in the first step 
of the protocol.) Diffie-Hellman Key Exchange is presented in Figure 8.5. 

At the end of the protocol, U and V have computed the same key 

K = a auttv mod p. 

This protocol is very similar to Diffie-Hellman Key Predistribution described earlier. The difference is 
that the exponents a and a of users U and V (respectively) are chosen anew each time the protocol is 

run, instead of being fixed. Also, in this protocol, both U and V are assured of key freshness, since the 
session key depends on both random exponents a and <2 y . 

8.4.1 The Station-to-station Protocol 

Diffie-Hellman Key Exchange is supposed to look like this: 



0 



a 



an 



V 
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Unfortunately, the protocol is vulnerable to an active adversary who uses an intruder-in-the-middle 
attack. There is an episode of The Lucy Show in which Vivian Vance is having dinner in a restaurant 
with a date, and Lucille Ball is hiding under the table. Vivian and her date decide to hold hands under 
the table. Lucy, trying to avoid detection, holds hands with each of them and they think they are holding 
hands with each other. 

An intruder-in-the-middle attack on the Diffie-Hellman Key Exchange protocol works in the same 
way. W will intercept messages between U and V and substitute his own messages, as indicated in the 
following diagram: 

* w * V 

i 

At the end of the protocol, U has actually established the secret key <fc aua v w ^ \y anc j y j ias 

established a secret key (X a ^ av with W. When U tries to encrypt a message to send to V, W will be 
able to decrypt it but V will not. (A similar situation holds if V sends a message to U.) 

Clearly, it is essential for U and V to make sure that they are exchanging messages with each other and 
not with W. Before exchanging keys, U and V might carry out a separate protocol to establish each 
other's identity, for example by using one of the identification schemes that we will describe in Chapter 
9. But this offers no protection against an intruder-in-the-middle attack if W simply remains inactive 
until after U and V have proved their identities to each other. Hence, the key agreement protocol should 
itself authenticate the participants' identities at the same time as the key is being established. Such a 
protocol will be called authenticated key agreement. 



U 
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We will describe an authenticated key agreement protocol which is a modification of Diffie-Hellman 
Key Exchange. The protocol assumes a publicly known prime p and a primitive element oc, and it 
makes use of certificates. Each user U will have a signature scheme with verification algorithm ver and 

signing algorithm sig . The TA also has a signature scheme with public verification algorithm ver . 

Each user U has a certificate 



C(U) - (IDtUJ.neru.^prAtlDW.wru)), 



where ID(U) is identification information for U. 



■ i.H | k ; a k 



m. - -i(.->.-r>i 

II 1 1 p. II I 

-i-r i_ t ■■ -T- . h- -r %--T 1 t ■■ - 



Figure 8.6 Simplified Station-to- station Protocol 



The authenticated key agreement known as the Station-to-station Protocol (or STS for short) is due to 
Diffie, Van Oorschot, and Wiener. The protocol we present in Figure 8.6 is a slight simplification; it can 
be used in such a way that it is conformant with the ISO 9798-3 protocols. 



The information exchanged in the simplified STS protocol (excluding certificates) is illustrated as 
follows: 
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Let's see how this protects against an intruder-in -the-middle attack. As before, W will intercept <J 
and replace it with Ct Q,J . W then receives ® V » ^*#V v ,& u ) f rom v. He would like to replace 
Ol u with Ot v as before. However, this means that he must also replace 

$ig\ (a v t a u ) Unfortunately for W, he cannot compute V's signature on v + aflU ) since he 
doesn't know V's signing algorithm sig y . Similarly, W is unable to replace 
Aitfufo^v , & Qv ) because he does not know U's signing algorithm. 



This is illustrated in the following diagram: 



> * 

It is the use of signatures that thwarts the intruder-in-the-middle attack. 

The protocol, as described in Figure 8.6, does not provide key confirmation. However, it is easy to 
modify so that it does, by defining 

Vv = e K (sig v (a a \ a ^)) 

in step 4 and defining 

!fu = ejr(«pu(a au ,a ov )) 

in step 6. (As in Kerberos, we obtain key confirmation by encrypting a known quantity using the new 
session key.) The resulting protocol is known as the Station-to-station Protocol. We leave the 
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remaining details for the interested reader to fill in. 
8.4.2 MTI Key Agreement Protocols 

Matsumoto, Takashima, and Imai have constructed several interesting key agreement protocols by 
modifying Diffie-Hellman Key Exchange. These protocols, which we call MTI protocols, do not 
require that U and V compute any signatures. They are two-pass protocols since there are only two 
separate transmissions of information performed (one from U to V and one from V to U). In contrast, the 
STS protocol is a three-pass protocol. 

We present one of the MTI protocols. The setting for this protocol is the same as for Diffie-Hellman 
Key Predistribution. We assume a publicly known prime p and a primitive element ex. Each user U has 
an ID string, ID(U), a secret exponent a (0 < a < p - 2), and a corresponding public value 

&u = a av mod p. 

The TA has a signature scheme with a (public) verification algorithm ver and a secret signing 
algorithm sig^. 




Figure 8.7 Matsumoto-Takashima-Imai Key Agreement Protocol 
Each user U will have a certificate 

C(U) = (ID(U),^,si5TA{ID(U),iu)) 7 

where b is formed as described above. 

We present the MTI key agreement protocol in Figure 8.7. At the end of the protocol, U and V have both 
computed the same key 

K = a f «*v+iviu mo d p. 

We give an example to illustrate this protocol. 
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Example 8.3 

Suppose p = 27803 and oc = 5 are publicly known. Assume U chooses a = 21131; then she will compute 



b v = 5 21 " 1 mod 27803 = 21420 

which is placed on her certificate. As well, assume V chooses = 17555. Then he will compute 

bv = 5 1755S mod 27803 = 17100 

which is placed on his certificate. 

Now suppose that U chooses r = 169; then she will send the value 

su = 5 169 mod 27803 = 6268 

to V. Suppose that V chooses r y = 23456; then he will send the value 

sv - 5 23456 mod 27803 = 26759 

to U. 

Now U can compute the key 

= 26759 s 1131 17100 lfl9 mod 27803 
= 21600, 

and V can compute the key 

Kuy = s v av t>v rv modp 

= 626S 17555 2142tf 23456 mod 27S03 

- 21600, 

Thus U and V have computed the same key. 
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The information transmitted during the protocol is depicted as follows: 

C(U) T o ru mod j> 



i 



Let's look at the security of the scheme. It is not too difficult to show that the security of the MTI 
protocol against a passive adversary is exactly the same as the Diffie-Hellman problem — see the 
exercises. As with many protocols, proving security in the presence of an active adversary is 
problematic. We will not attempt to prove anything in this regard, and we limit ourselves to some 
informal arguments. 

Here is one threat we might consider: Without the use of signatures during the protocol, it might appear 
that there is no protection against an intruder-in-the-middle attack. Indeed, it is possible that W might 
alter the values that U and V send each other. We depict one typical scenario that might arise, as follows: 

C(U),o ru C(UU^ 



I J W V 

C(V),</v C<V),*-v 



In this situation, U and V will compute different keys: U will compute 
while V will compute 

K = a r " av+rvav mod p. 

However, neither of the key computations of U or V can be carried out by W, since they require 
knowledge of the secret exponents a and a^, respectively. So even though U and V have computed 

different keys (which will of course be useless to them), neither of these keys can be computed by W 
(assuming the intractibility of the Discrete Log problem). In other words, both U and V are assured that 
the other is the only user in the network that could compute the key that they have computed. This 
property is sometimes called implicit key authentication. 



Previous 


Table of Contents 


Next 









file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch08/271-276.html (5 of 6)12/6/2003 9: 19:37 AM 



Cryptography: Theory and Practice:Key Distribution and Key Agreement 

Copyright © CRC Press LLC 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch08/271-276.html (6 of 6)12/6/2003 9: 19:37 AM 



Cryptography: Theory and Practice:Key Distribution and Key Agreement 



Cryptography: Theory and Practice 

by Douglas Stinson 
CRC Press, CRC Press LLC 
ISBN: 0849385210 Pub 
Date: 03/17/95 



Previous 


Table of Contents 


Next 









8.4.3 Key Agreement Using Self-certifying Keys 

In this section, we describe a method of key agreement, due to Girault, that does not require certificates. 
The value of a public key and the identity of its owner implicitly authenticate each other. 

The Girault Scheme combines features of RSA and discrete logarithms. Suppose n = pq, where p = 2p^ 

1 * 

+ 1, q = 2q + 1, and p, q, p^ and ql are all large primes. The multiplicative group "ft isomorphic to 

Z * x Z ' T * 

P ? . The maximum order of any element in "ft is therefore the least common multiple of p - 1 

jar * 

and q - l,ov2p^q^. Let oc be an element of order 2p # . Then the cyclic subgroup of ""ft generated by 
a is a suitable setting for the Discrete Logarithm problem. 

In the Girault Scheme, the factorization of n is known only to the TA. The values n and a are public, 
but p, q, p , and q are all secret. The TA chooses a public RSA encryption exponent, which we will 

denote by e. The corresponding decryption exponent, d, is secret (recall that d = e~ l mod 0 («)). 



Each user U has an ID string ID(U), as in previous schemes. A user U obtains a self-certifying public 
key, p , from the TA as indicated in Figure 8.8. Observe that U needs the help of the TA to produce p 

Note also that 

6u =p u e + ID(U) modn 

can be computed from p and ID(U) using publicly available information. 

The Girault Key Agreement Protocol is presented in Figure 8.9. The information transmitted during 
the protocol is depicted as follows: 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch08/276-279.html(l of 5)12/6/2003 9:19:40 AM 



Cryptography: Theory and Practice:Key Distribution and Key Agreement 

ID(U),pUi<* ru m od n 



4 



U ID(V),pv^ rv modn V 
i 



Figure 8.8 Obtaining a self-certifying public key from the TA 
At the end of the protocol, U and V each have computed the key 

K ^^vfryau modn. 

Here is an example of key exchange using the Girault Scheme. 

Example 8.4 

Suppose p = 839 and q = 863. Then n = 724057 and 0(ri) = 722356. The element oc = 5 has order 2p q = 
0(n)/2. Suppose the TA chooses d = 125777 as the RSA decryption exponent; then e = 84453. 

Suppose U has ID(U) = 500021 and a = 1 1 1899. Then b = 488889 and p = 650704. Suppose also 
that V has ID(V) = 500022 and a y = 123456. Then b y = 11 1692 and p y = 683556. 

Now, U and V want to exchange a key. Suppose U chooses = 56381, which means that s = 171007. 
Further, suppose V chooses r v = 356935, which means that s y = 320688. 

Then both U and V will compute the same key K = 42869. 

Let's consider how the self-certifying keys guard against one specific type of attack. Since the values b , 
p , and ID(U) are not signed by the TA, there is no way for anyone else to verify their authenticity 
directly. Suppose this information is forged by W (i.e., it is not produced in cooperation with the TA), 

b' 

who wants to masquerade as U. If W starts with ID(U) and a fake value U, then there is no way for her 

t ij t 

to compute the exponent a U corresponding U if the Discrete Log problem is intractible. Without ®U 

computation cannot be performed by W (who is pretending to be U). 
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Figure 8.9 Girault Key Agreement Protocol 



The situation is similar if W acts as an intruder-in-the-middle. W will be able to prevent U and V from 
computing a common key, but W is unable to duplicate the computations of either U or V. Thus the 
scheme provides implicit key authentication, as did the MTI protocol. 

An attentive reader might wonder why U is required to supply the value a to the TA. Indeed, the TA 
can compute p directly from b , without knowing a . Actually, the important thing here is that the TA 
should be convinced that U knows the value of a before the TA computes p for U. 

We illustrate this point by showing how the scheme can be attacked if the TA indiscriminately issues 
public keys p to users without first checking that they possess the value a corresponding to their b . 

Suppose W chooses a fake value a U and computes the corresponding value 

6y = a a v mod n. 

Here is how he can determine the corresponding public key 

p' v = % -ID(U)) d mod rc. 

W will compute 

*w = 6'u " ID(U) + ID(W) 

and then given and ID(W) to the TA. Suppose the TA issues the public key 

p [ v = (Ity. - lB(W)f mod n 

to W. Using the fact that 

(t^v - ID(W) = fc{j - ID(U) (mod n ) T 
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it is immediate that 



Now, at some later time, suppose U and V execute the protocol, and W substitutes information as 
follows: 

IDtU^Pu,^ modn ID(U),p^a r ^ mod n 

U * W > V 
ID(V), pv,o^ v mod 7i ID(V),p v ,a rv mod n 
i < 

Now V will compute the key 

K f = a r u av + rva 'u mod n, 

whereas U will compute the key 

K = a ruav+rvflu modr^ 

W can compute K' as 

K l = $ v a " (Pv e + ID{V)) r ^ mod n> 

Thus W and V share a key, but V thinks he is sharing a key with U. So W will be able to decrypt 
messages sent by V to U. 

8.5 Notes and References 

Blom presented his key predistribution scheme in [BL85]. Generalizations can be found in Blundo et al. 
[BDSHKVY93] and Beimel and Chor [BC94]. 

Diffie and Hellman presented their key exchange algorithm in [DH76] . The idea of key exchange was 
discovered independently by Merkle [ME78]. The material on authenticated key exchange is taken from 
Diffie, van Oorschot, and Wiener [DVW92]. 

Version V of Kerberos is described in [KN93]. For a recent descriptive article on Kerberos, see 
Schiller [SC94]. 
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The protocols of Matsumoto, Takashima, and Imai can be found in [MTI86] . Self-certifying key 
distribution was introduced by Girault [GIR91]. The scheme he presented was actually a key 
predistribution scheme; the modification to a key agreement scheme is based on [RV94]. 
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Two recent surveys on key distribution and key agreement are Rueppel and Van Oorschot [RV94] and 
vanTilburg [VT93]. 

Exercises 

8.1 Suppose the Blom Scheme with k = 1 is implemented for a set of four users, U, V, W and X. 
Suppose that p = 7873, r = 2365, r 6648, r = 1837 and r =2186. The secret g polynomials 

U V W 

are as follows: 



Qu(x) 


= 6018 + 635 lx 


9v(x) 


= 3749 + 7121x 




= 7601 + 7802a: 


9x(x) 


= 635 +6828^ 



(a) Compute the key for each pair of users, verifying that each pair of users obtains a 
common key (that is, K = , etc.). 

(b) Show how W and X together can compute K . 

8.2 Suppose the Blom Scheme with k = 2 is implemented for a set of five users, U, V, W, X and 
Y. Suppose that p = 97, r = 14, r = 38, r = 92, r = 69 and r = 70. The secret g polynomials 

U V W A. Y 

are as follows: 
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9v( x ) 


= 15 


+ 




+ 


2x 2 


g v (x) 


= 95 


H- 


Tlx 


+ 




9w(x) 


= 88 


+ 


Z2x 


+ 


I8x 2 




= 62 


+ 


Qlx 


+ 






= 10 




82% 


+ 


52a: 2 . 



(a) Show how U and V each will compute the key K = K . 

(b) Show how W, X and Y together can compute K . 

8.3 Suppose that U and V carry out the Diffie-Hellman Key Exchange with p = 27001 and a = 
101. Suppose that U chooses a = 21768 and V chooses 9898. Show the computations 

performed by both U and V, and determine the key that they will compute. 

8.4 Suppose that U and V carry out the MTI Protocol where p = 301 13 and oc = 52. Suppose 
that U has a = 8642 and chooses = 28654, and V has a = 24673 and chooses r y = 12385. 

Show the computations performed by both U and V, and determine the key that they will 
compute. 

8.5 If a passive adversary tries to compute the key K constructed by U and V by using the MTI 
protocol, then he is faced with an instance of what we might term the MTI problem, which we 
present in Figure 8.10. Prove that any algorithm that can be used to solve the MTI problem can 
be used to solve the Diffie-Hellman problem, and vice versa. 

8.6 Consider the Girault Scheme where p = 167, q = 179, and hence n = 29893. Suppose oc = 2 
and e= 11101. 



(a) Compute d. 

(b) Given that ID(U) = 10021 and a = 9843, compute b and p Given that ID(V) = 
10022 and a = 7692, compute and p . 

(c) Show how b can be computed from p and ID(U) using the public exponent e. 
Similarly, show how b can be computed from p and ID(V). 



Figure 8.10 The MTI problem 

(d) Suppose that U chooses r = 15556 and V chooses r v = 6420. Compute s and 5 y , 
and show how U and V each compute their common key. 
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Chapter 9 

Identification Schemes 

9.1 Introduction 

Cryptographic methods enable many seemingly impossible problems to be solved. One such problem is 
the construction of secure identification schemes. There are many common, everyday situations where it 
is necessary to electronically "prove" one's identity. Some typical scenarios are as follows: 

1. To withdraw money from an automated teller machine (or ATM), we use a card together with 
a four-digit personal identification number (PIN). 

2. To charge purchases over the telephone to a credit card, all that is necessary is a credit card 
number (and the expiry date). 

3. To charge long-distance telephone calls (using a calling card), one requires only a telephone 
number together with a four-digit PIN. 

4. To do a remote login to a computer over a network, it suffices to know a valid user name and 
the corresponding password. 

In practice, these types of schemes are not usually implemented in a secure way. In the protocols 
performed over the telephone, any eavesdropper can use the identifying information for their own 
purposes. This could include the person who is the recipient of the information; many credit card 
"scams" operate in this way. An ATM card is somewhat more secure, but there are still weaknesses. For 
example, someone monitoring the communication line can obtain all the information encoded on the 
card's magnetic strip, as well as the PIN. This could allow an imposter to gain access to a bank account. 
Finally, remote computer login is a serious problem due to the fact that user IDs and passwords are 
transmitted over the network in unencrypted form. Thus they are vulnerable to anyone who is 
monitoring the computer network. 

The goal of an identification scheme is that someone "listening in" as Alice identifies herself to Bob, 
say, should not subsequently be able to misrepresent herself as Alice. Furthermore, we should try to 
guard against the possibility that Bob himself might try to impersonate Alice after she has identified 
herself to him. In other words, Alice wants to be able to prove her identity electronically without "giving 
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away" her identifying information. 



. .. 

Figure 9.1 Challenge-and-response protocol 

Several such identification schemes have been discovered. One practical objective is to find a scheme 
that is simple enough that it can be implemented on a smart card, which is essentially a credit card 
equipped with a chip that can perform arithmetic computations. Hence, both the amount of computation 
and the memory requirements should be kept as small as possible. Such a card would be a more secure 
alternative to current ATM cards. However, it is important to note that the "extra" security pertains to 
someone monitoring the communication line. Since it is the card that is "proving" its identity, we have 
no extra protection against a lost card. It would still be necessary to include a PIN in order to establish 
that it is the real owner of the card who is initiating the identification protocol. 

In later sections, we will describe some of the more popular identification schemes. But first, we give a 
very simple scheme that can be based on any private-key cryptosystem, e.g., DES. The protocol, which 
is described in Figure 9.1, is called a challenge-and-response protocol. In it, we assume that Alice is 
identifying herself to Bob, and Alice and Bob share a common secret key, K, which specifies an 
encryption function e . 

We illustrate this protocol with a small example. 
Example 9. 1 

Alice and Bob use an encryption function which does a modular exponentiation: 

(x) = s 10l37S > mod 167653. 

Suppose Bob's challenge is x = 77835. Then Alice responds with y = 100369. 

Virtually all identification schemes are challenge-and-response protocols, but the most useful schemes 
do not require shared keys. This idea will be pursued in the remainder of the chapter. 

9.2 The Schnorr Identification Scheme 

We begin by describing the Schnorr Identification Scheme, which is one of the most attractive 
practical identification schemes. The scheme requires a trusted authority, which we denote by TA. The 
TA will choose parameters for the scheme as follows: 
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512 7 * 

1. p is a large prime (i.e., p > 2 ) such that the discrete log problem in fj p is intractible. 

2. q is a large prime divisor of p - 1 (i.e., g > 2 140 ). 

3. ® ^ has order g (such an a can be computed as the (p - l)/gth power of a primitive 
element). 

t 

4. A security parameter t such that q>2 . For most practical applications, t = 40 will provide 
adequate security. 

5. The TA also establishes a secure signature scheme with a secret signing algorithm sig and a 
public verification algorithm ver . 

6. A secure hash function is specified. As usual, all information is to be hashed before it is 
signed. In order to make the protocols easier to read, we will omit the hashing steps from the 
descriptions of the protocols. 

The parameters p, q, and oc, the public verification algorithm ver and the hash function are all made 
public. 

A certificate will be issued to Alice by the TA. When Alice wants to obtain a certificate from the TA, 
the steps in Figure 9.2 are carried out. At a later time, when Alice wants to prove her identity to Bob, 
say, the protocol of Figure 9.3 is executed. 

As mentioned above, tis a security parameter. Its purpose is to prevent an impostor posing as Alice, say 
Olga, from guessing Bob's challenge, r. For, if Olga guessed the correct value of r, she could choose any 
value for y and compute 

7 = a v v r mod p. 

She would give Bob y in step 1, and then when she receives the challenge r, she would supply the value 
y she has already chosen. Then y would be verified by Bob in step 6. 



Figure 9.2 Issuing a certificate to Alice 



-t 



The probability that Olga will guess the value of r correctly is 2 if r is chosen at random by Bob. Thus, 
t = 40 should be a reasonable value for most applications. (But notice that Bob should choose his 
challenge r at random every time Alice identifies herself to him. If Bob always used the same challenge 
r, then Olga could impersonate Alice by the method described above.) 
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Basically, there are two things happening in the verification protocol. First, the signature s proves the 
validity of Alice's certificate. Thus Bob verifies the signature of the TA on Alice's certificate to 
convince himself that the certificate itself is authentic. This is essentially the same way that certificates 
were used in Chapter 8. 

The second part of the protocol concerns the secret number a. The value a functions like a PIN in that it 
convinces Bob that the person carrying out the identification protocol is indeed Alice. But there is an 
important difference from a PIN: in the identification protocol, the value of a is not revealed. Instead 
Alice (or more accurately, Alice's smart card) "proves" that she/it knows the value of a in step 5 of the 
protocol by computing the value y in response to the challenge r issued by Bob. Since the value of a is 
not revealed, this technique is called a proof of knowledge . 



i i iu I 



Figure 9.3 The Schnorr identification scheme 

The following congruences demonstrate that Alice will be able to prove her identity to Bob: 



= a k+ ^v r (mod p) 
= a k+ar a~ aF (mod p) 
= a k (mod p) 
= 7 (mod p). 



Thus Bob will accept Alice's proof of identity (assuming he is honest), and the protocol is said to have 
the completeness property. 



Here is a small (toy) example illustrating the challenge-and-response aspect of the protocol. 
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Example 9.2 



Suppose p = 88667, q = 1031 and t = 10. The element oc = 70322 has order q in **v . Suppose Alice's 
secret exponent is a = 755; then 

v = a~* mod p 
= 70322 1031 " 7ES mod 83667 
= 1313G, 

Now suppose Alice chooses k = 543. Then she computes 

7 = a* mod p 

- 70 322 543 mod 88667 

- 84109. 

and sends y to Bob. Suppose Bob issues the challenge r = 1000. Then Alice computes 

y = k + ar mod q 
= 543 + 755 x 1000 mod 1031 

s=851 

and sends y to Bob. Bob then verifies that 

&4109 = 70322 851 13136 1[KW (mod 

So Bob believes that he is communicating with Alice. 

Next, let's consider how someone might try to impersonate Alice. An imposter, Olga, might try to 
impersonate Alice by forging a certificate 

C'( Alice) = (ID{Alicc)y,A 

where V # v. But s is supposed to be a signature of (ID (Alice), v'), and this is verified by Bob in step 3 
of the protocol. If the signature scheme of the TA is secure, Olga will not be able to forge a signature s 
which will subsequently be verified by Bob. 
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Another approach would be for Olga to use Alice's correct certificate, which is C(Alice) = (ID(Alice), v, 
s) (recall that certificates are not secret, and the information on a certificate is revealed each time the 
identification protocol is executed). But Olga will not be able to impersonate Alice unless she also 
knows the value of a. This is because of the "challenge" r in step 4. In step 5, Olga would have to 
compute y, but y is a function of a. The computation of a from v involves solving a discrete log problem, 
which we assume is intractible. 

We can prove a more precise statement about the security of the protocol, as follows. 
THEOREM 9.1 

Suppose Olga knows a value yfor which she has probability e > 1/2 of successfully impersonating 
Alice in the verification protocol. Then Olga can compute a in polynomial time. 

t 

PROOF For a fraction e of the 2 possible challenges r, Olga can compute a value y which will be 

1 1 t 

accepted in step 6 by Bob. Since g > 1/2 , we have that 2 e , and therefore Olga can compute values 

v , y . r and r such that 

J \ J 2 1 2 

yi £ y 2 (mod q) 

and 

It follows that 

a 

Since v = oc , we have that 

yi - y 2 = a(fi - r 2 ) (mod q). 

t t 

Now, 0 < \r - r \ < 2 and q > 2 is prime. Hence gcd(r 2 - r , q) = 1, and Olga can compute 

a = (yi - - r 2 ) -t mod <?, 

as desired. 
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The above theorem proves that anyone who has a non-negligible chance of successfully executing the 
identification protocol must know (or be able to compute in polynomial time) Alice's secret exponent a. 
This property is often referred to as soundness. 

We illustrate with an example. 

Example 9.3 

Suppose we have the same parameters as in Example 9.2: p = 88667, q = 1031, t = 10, oc = 70322, oc = 
755 and v = 13136. Suppose Olga learns that 

a m v l00Q = a**W 9 (mod p). 

Then she can compute 

a = (851 - 454) (1000 - I9)" 1 mod 1051 = 755, 

and thus discover Alice's secret exponent. 

We have proved that the protocol is sound and complete. But soundness and completeness are not 
sufficient to ensure that the protocol is "secure." For example, if Alice simply revealed the value of her 
exponent a to prove her identity to Olga (say), the protocol would still be sound and complete. However, 
it would be completely insecure, since Olga could subsequently impersonate Alice. 

This motivates the consideration of the secret information released to a verifier (or an observer) who 
takes part in the protocol (in this protocol, the secret information is the value of the exponent a). Our 
hope is that no information about a can be gained by Olga when Alice proves her identity, for then Olga 
would be able to masquerade as Alice. 

In general, we could envision a situation whereby Alice proves her identity to Olga, say, on several 
different occasions. Perhaps Olga does not choose her challenges (i.e., the values of r) in a random way. 
After several executions of the protocol, Olga will try to determine the value of a so she can 
subsequently impersonate Alice. If Olga can determine no information about the value of a by taking 
part in a polynomial number of executions of the protocol and then performing a polynomial amount of 
computation, then we would be convinced that the protocol is secure. 

It has not been proven that the Schnorr Scheme is secure. But in the next section, we present a 
modification of the Schnorr Scheme, due to Okamoto, that can be proved to be secure given a certain 
computational assumption. 
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The Schnorr Scheme was designed to be very fast and efficient, both from a computational point of 
view and in the amount of information that needs to be exchanged in the protocol. It is also designed to 
minimize the amount of computation performed by Alice. This is desirable because in many practical 
applications, Alice's computations will be performed by a smart card with low computing power, while 
Bob's computations will be performed by a more powerful computer. 



For the purpose of discussion, let's assume that ID (Alice) is a 512-bit string, v also comprises 512 bits, 
and s will be 320 bits if the DSS is used as a signature scheme. The total size of the certificate C(Alice) 
(which needs to be stored on Alice's smart card) is then 1344 bits. 



Let us consider Alice's computations: step 1 requires a modular exponentiation to be performed; step 5 
comprises one modular addition and one modular multiplication. It is the modular exponentiation that is 
computationally intensive, but this can be precomputed offline, if desired. The online computations to be 
performed by Alice are very modest. 

It is also a simple matter to calculate the number of bits that are communicated during the protocol. We 
can depict the information that is communicated in the form of a diagram: 





C,7 


> 




r 




i 


V 


Y 



Alice J Bob 



Alice gives Bob 1344 + 512= 1856 bits of information in step 2; Bob gives Alice 40 bits in step 4; and 
Alice gives Bob 140 bits in step 6. So the communication requirements are quite modest, as well. 



■ H -■% ""Hi* 



■ in-a 'Mr 



Figure 9.4 Issuing a certificate to Alice 
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9.3 The Okamoto Identification Scheme 

In this section, we present a modification of the Schnorr Scheme due to Okamoto. This modification 
can be proved secure, assuming the intractibility of computing a particular discrete logarithm in ^p. 

To set up the scheme, the TA chooses p and q as in the Schnorr Scheme. The TA also chooses two 

elements °^ ' ®% £ both having order q. The value c ~ a ^ is kept secret from all the 

participants, including Alice. We will assume that it is infeasible for anyone (even a coalition of Alice 
and Olga, say) to compute the value c. As before, the TA chooses a signature scheme and hash function. 
The certificate issued to Alice by the TA is constructed as described in Figure 9.4. The Okamoto 
Identification Scheme is presented in Figure 9.5. 

Here is an example of the Okamoto Scheme. 

Example 9.4 

As in previous examples, we will take p = 88667, q = 1031, and t = 10. Suppose a = 58902 and cc 2 = 
7361 1 (both a i and « 2 have order q in Sj v ). Now, suppose = 846 and oc 2 = 515; then v = 13078. 




Figure 9.5 The Okamoto identification scheme 



Suppose Alice chooses k = 899 and = 16; then y = 14574. If Bob issues the challenge r = 489 then 
Alice will respond with y = 131 and y 2 = 287. Bob will verify that 

58902 1 * 1 7361 1* 87 13078*** = 14574 (mod 88667). 

So Bob will accept Alice's proof of identity. 

The proof that the protocol is complete (i.e., that Bob will accept Alice's proof of identity) is 
straightforward. The main difference between Okamoto 's and Schnorr' s scheme is that we can prove 

that the Okamoto Scheme is secure provided that the computation of the discrete logarithm 
is intractible. 
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The proof of security is quite subtle. Here is the general idea: As before, Alice identifies herself to Olga 
polynomially many times by executing the protocol. We then suppose (hoping to obtain a contradiction) 
that Olga is able to learn some information about the values of Alice's secret exponents « 1 and oc 2< If this 

is so, then we will show that (with high probability) Alice and Olga together will be able to compute the 
discrete logarithm c in polynomial time. This contradicts the assumption made above, and proves that 
Olga must be unable to obtain any information about Alice's exponents by taking part in the protocol. 

The first part of this procedure is similar to the soundness proof for the Schnorr Scheme. 

THEOREM 9.2 

Suppose Olga knows a value yfor which she has probability e > 1/2 of successfully impersonating 
Alice in the verification protocol. Then, in polynomial time, Olga can compute values b and b^ such that 

v = ai- bl a 2 ~ bQ (mod p). 

t 

PROOF For a fraction g of the 2 possible challenges r, Olga can compute values y , y , z , z , r and s 
with r^s and 

7 = a\* l a* V3 v r = ai* l a-2 Z2 v« (mod p). 



Define 



and 



b 2 = (y 2 - z 2 )(r - s)~ l mod q. 



Then it is easy to check that 



v = ai T '"f>2 ^ (mod ]>}, 



as desired. 



We now proceed to show how Alice and Olga can together compute the value of c. 
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THEOREM 9.3 



1 1 

Suppose Olga knows a value yfor which she has probability e > 1/2 of successfully impersonating 
Alice in the verification protocol. Then, with probability 1 - 1/q, Alice and Olga can together compute 

Q 2 i n polynomial time. 
PROOF By Theorem 9.2, Olga is able to determine values b and b^ such that 

y = di 4l £ir i3 (mod p). 

Now suppose that Alice reveals the values cx j and « 2 to Olga. Of course 

v = cti " fll a2~ a * (mod p), 

so it must be the case that 

ai ai ~ h = a^ 2 " fl2 (mod p) T 

Suppose that (a , a ) ^ (£> , ). Then (a - b V 1 mod g exists, and the discrete log 

c = log ftl OFi = (a\ - ^){bi - a-i)~ L mod q 

can be computed in polynomial time. 
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There remains to be considered the possibility that (a , a^) = (b , & ). If this happens, then the value of c 

cannot be computed as described above. However, we will argue that (a , a ) = (b , & ) will happen only 

with very small probability II q, so the procedure whereby Alice and Olga compute c will almost surely 
succeed. 

Define 



-4 = {(aiX) € Zq x % q : ar°ta 2 ~ aa = <*r ai a 2 ~** (mod p)}. 

That is, ->4 consists of all the possible ordered pairs that could be Alice's secret exponents. Observe that 

A = {(*i - cff.tta + 0) : G 

where c ~ rk ^. Thus -A consist of q ordered pairs. 

The ordered pair (b , ) computed by Olga is certainly in the set *4 . We will argue that the value of the 
pair {b , ^ ) is independent of the value of the pair (a , a ) that comprises Alice's secret exponents. Since 
(a , a) was originally chosen at random by Alice, it must be the case that the probability that (a , a) = 
(b r b 2 ) is II q. 

So, we need to say what we mean by (b , & ) being "independent" of (a , aj. The idea is that Alice's 

pair (a , a ) is one of the q possible ordered pairs in the set -A, and no information about which is the 
"correct" ordered pair is revealed by Alice identifying herself to Olga. (Stated informally, Olga knows 
that an ordered pair from -4 comprises Alice's exponents, but she has no way of telling which one.) 

Let's look at the information that is exchanged during the identification protocol. Basically, in each 
execution of the protocol, Alice chooses a y; Olga chooses an r; and Alice reveals y and y 2 such that 
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7 = a 1 v: a< i V2 v T (mod p). 

Recall that Alice computes 

Vi = h + ajr mod q 

and 

1/2 = &2 + ^2*" mod q, 

where 

7 — ai^aa^ 1 mod p. 

But note that and are not revealed (nor are <z and a). 

12 v 1 2 y 



The particular quadruple (y, r, y , y ) that is generated during one execution of the protocol appears to 
depend on Alice's ordered pair (a , a 2 ), since y and y 2 are defined in terms of a and a^. But we will 
show that each such quadruple could equally well be generated from any other ordered pair 
(nl.ai) £ A To see this, suppose K - 4) € A i.e., a[ = fti - ftf and u^ = a 2 +0 
where 0 < 9 < q - 1. We can express y and y 2 as follows: 

2/i - k\ -\-ayr 

= fci + (o', + c9)r 
= (k : + rctf) + a'jr, 

and 

1/2 = k% + a 2 r 
= + (4 - 0)r 
= (fa - r$) + air, 

where all arithmetic is performed in *"ff. That is, the quadruple (y,r,y ,y ) is also consistent with the 
ordered pair ( a i ' using the random choices — + TC & and ^2 ^2 ~~ r & to produce (the 
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same) y. We have already noted that the values of and k 2 are not revealed by Alice, so the quadruple 

(y,r,y ,y^) yields no information regarding which ordered pair in jA Alice is actually using for her secret 
exponents. This completes the proof. 

This security proof is certainly quite elegant and subtle. It would perhaps be useful to recap the features 
of the protocol that lead to the proof of security. The basic idea involves having Alice choose two secret 

exponents rather than one. There are a total of q pairs in the set -A that are "equivalent" to Alice's pair 

(a , a 2 ). The fact that leads to the ultimate contradiction is that knowledge of two different pairs in ->4 

provides an efficient method of computing the discrete logarithm c. Alice, of course, knows one pair in 

~A ; and we proved that if Olga can impersonate Alice, then Olga is able to compute a pair in ->4 which 
(with high probability) is different from Alice' s pair. Thus Alice and Olga together can find two pairs in 

■A and compute c, which provides the desired contradiction. 

Here is an example to illustrate the computation of f±2 by Alice and Olga. 

Example 9.5 

As in Example 9.4, we will take p = 88667, q = 1031 and t = 10, and assume that v = 13078. 
Suppose Olga has determined that 

WV 8 ' = a, 8( W 98 {mod p). 

Then she can compute 

b l = (131 - 890)(489 - 199)" 1 mod 1031 = 456 

and 

b 2 = (287 - 303)(489 - 199)" 1 mod 1031 = 519. 
Now, using the values of and supplied by Alice, the value 

c = (846 - 456)(519 - 515)" 1 mod 1031 = 613 
is computed. This value c is in fact f±s as can be verified by calculating 
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SS^ 01 " mod 88667 = 7361 1. 

Finally, we should emphasize that, although there is no known proof that the Schnorr Scheme is secure 
(even assuming that the discrete logarithm problem is intractible), neither is there any known weakness 
in the scheme. Actually, the Schnorr Scheme might be preferred in practice to the Okamoto Scheme 
simply because it is somewhat faster. 
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9.4 The Guillou-Quisquater Identification Scheme 

In this section, we describe another identification scheme, due to Guillou and Quisquater, that is based 
on RSA. 

The set-up of the scheme is as follows: The TA chooses two primes p and q and forms the product n = 
pq. The values of p and q are secret, while n is public. As is usually the case, p and q should be chosen 
large enough that factoring n is intractible. Also, the TA chooses a large prime integer b which will 
function as a security parameter as well as being a public RSA encryption exponent; to be specific, let us 
suppose that b is a 40-bit prime. Finally, the TA chooses a signature scheme and hash function. 

The certificate issued to Alice by the TA is constructed as described in Figure 9.6. When Alice wants to 
prove her identity to Bob, say, the protocol of Figure 9.7 is executed. We will prove that the Guillou- 
Quisquater Scheme is sound and complete. However, the scheme has not been proved to be secure 
(even assuming that the RSA crypto system is secure). 



tw n m all 



Figure 9.6 Issuing a certificate to Alice 




Figure 9.7 The Guillou-Quisquater identification scheme 



Example 9.6 



Suppose the TA chooses p = 467 and q = 479, so n = 223693. Suppose also that b = 503 and Alice's 
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secret integer u = 101576. Then she will compute 

v — (u -1 )* mod n 
= ( 101576" Y 0 * mod 223653 
= 89888 ^ 

Now, let's assume that Alice is proving her identity to Bob and she chooses k = 187485; then she gives 
Bob the value 

7 — k b mod n 
= 1S74S5 503 mod 223693 
- 24412. 

Suppose Bob responds with the challenge r = 375. Then Alice will compute 

y = ku T mod n 
= 187485 x 101576 375 mod 223693 
= 93725 

and gives it to Bob. Bob then verifies that 

24412 = S988S m 93725 503 (™od 223693). 

Hence, Bob accepts Alice's proof of identity. 

As is generally the case, proving completeness is quite simple: 

t>V = {u- b ) T (ku r ) b (mod n) 
= u- br h b u br (mod 7i) 
= k b (mod n) 
= 7 {mod n). 



Now, let us consider soundness. We will prove that the scheme is sound provided that it is infeasible to 
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compute u from v. Since v is formed from u by RSA encryption, this is a plausible assumption to make. 
THEOREM 9.4 

Suppose Olga knows a value J for which she has probability e > lib of successfully impersonating Alice 
in the verification protocol. Then, in polynomial time, Olga can compute u. 

PROOF For some y, Olga can compute values y , y , r , r^ with r ^ r , such that 

7 = v ri yi b = v r *y% b (mod n). 

Suppose, without loss of generality, that r > r . Then we have 

v^- T * = (ys{ yi ) b (mod n). 

Since 0 < r - r^ < b and b is prime, t = (r - r^- 1 mod b exists, and it can be computed in polynomial 
time by Olga using the Euclidean algorithm. Hence, we have that 

v^.-^V = to/y,)" (mod n). 

Now, 

( n -r 2 )t =£b+ 1 

for some positive integer i, so 

= to/lli)* 1 (mod »), 

or equivalently, 

v - (te/sfO"^- 1 )* (mod n). 

Now raise both sides of the congruence to the power b~ l mod <])(«), to get the following: 

u- 1 = (yihiYiv-'f (mod n), 

Finally, compute the inverse modulo «, of both sides of this congruence, to obtain the following formula 
for u: 
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u = (yi fyifv 1 mod n. 

Olga can use this formula to compute u in polynomial time. 
Example 9. 7 

As in the previous example, suppose that n = 223693, b = 503, u = 101576 and v = 89888. Suppose Olga 
has learned that 



v™ ] 103386* = v™9372b b (mod n\ 



She will first compute 



t = (rj — r-i)~ * mod 6 
= (401 -375) _J mod 503 
= 445. 



Figure 9.8 Issuing a value u to Alice 
Next, she calculates 

(r, - t % )t - 1 



£ = 



6 

(401 - 375)445 - 1 



503 

Finally, she can obtain the secret value u as follows: 

u = (Vihtfv 1 mod n 
= ( 1 03386/9372 5 ) 445 89888 23 mod 223693 
- 101576, 
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Thus Alice's secret exponent has been compromised. 
9.4.1 Identity-based Identification Schemes 

The Guillou-Quisquater Identification Scheme can be transformed into what is known as an identity- 
based identification scheme. This basically means that certificates are not necessary. Instead, the TA 

computes the value of u as a function of Alice's ID string, using a public hash function h with range ^n. 
This is done as indicated in Figure 9.8. The identification protocol now works as described in Figure 9.9. 
The value v is computed from Alice's ID string via the public hash function h. In order to carry out the 
identification protocol, Alice needs to know the value of u, which can be computed only by the TA 
(assuming that the RSA cryptosystem is secure). If Olga tries to identify herself as Alice, she will not 
succeed because she does not know the value of u. 



k ta-m_ia__a i 1 j. i j i ■ I _f_.fi 

4 h*T— T-PT- 

Figure 9.9 The Guillou-Quisquater identity-based identification scheme 

9.5 Converting Identification to Signature Schemes 

There is a standard method of converting an identification scheme to a signature scheme. The basic idea 
is to replace the verifier (Bob) by a public hash function, h. In a signature scheme obtained by this 
approach, the message is not hashed before it is signed; the hashing is integrated into the signing 
algorithm. 

We illustrate this approach by converting the Schnorr Scheme into a signature scheme. See Figure 9.10. 
In practice, one would probably take the hash function h to be the SHS, with the result reduced modulo 
q. Since the SHS produces a bitstring of length 160 and q is a 160-bit prime, the modulo q reduction is 
necessary only if the message digest produced by the SHS exceeds q; and even in this situation it is 
necessary only to subtract q from the result. 

In proceeding from an identification scheme to a signature scheme, we replaced a 40-bit challenge by a 
160-bit message digest. 40 bits suffice for a challenge since an impostor needs to be able to guess the 
challenge in order to precompute a response that will be accepted. But in the context of a signature 
scheme, we need message digests of a much larger size, in order to prevent attacking the scheme by 
finding collisions in the hash function. 

Other identification schemes can be converted to signature schemes in a similar fashion. 
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1 ■— n ■■ -i-> ■■ 1 
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Figure 9,10 Schnorr Signature Scheme 
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9.6 Notes and References 

The Schnorr Identification Scheme is from [SC91], the Okamoto Scheme was presented in [OK93], 
and the Guillou-Quisquater Scheme can be found in [GQ88]. Another scheme that can be proved 
secure under a plausible computational assumption has been given by Brickell and McCurley [BM92]. 

Other popular identification schemes include the Feige-Fiat-Shamir Scheme [FFS88] (see also [FS87]) 
and Shamir's Permuted Kernel Scheme [SH90]. The Feige-Fiat-Shamir Scheme is proved secure 
using zero-knowledge techniques (see Chapter 13 for more information on zero-knowledge proofs). 

The method of constructing signature schemes from identification schemes is due to Fiat and Shamir 
[FS87]. They also describe an identity-based version of their identification scheme. 

Surveys on identification schemes have been published by Burmester, Desmedt, and Beth [BDB92] and 
de Waleffe and Quisquater [DWQ93]. 

Exercises 

9.1 Consider the following possible identification scheme. Alice possesses a secret key n = pq, 
where p and q are prime and p = q = 3 (mod 4). The values n and ID(Alice) are signed by the TA, 
as usual, and stored on Alice's certificate. When Alice wants to identify herself to Bob, say, Bob 
will present Alice with a random quadratic residue modulo n, say x. Then Alice will compute a 

square root y of x and give it to Bob. Bob then verifies that y = x (mod n). Explain why this 
scheme is insecure. 

9.2 Suppose Alice is using the Schnorr Scheme where q = 1201, p = 122503, t = 10 and oc = 
11538. 

W * 

(a) Verify that oc has order q in . 

(b) Suppose that Alice's secret exponent is a = 357. Compute v. 

(c) Suppose that k = 868. Compute y. 

(d) Suppose that Bob issues the challenge r = 501. Compute Alice's response y. 

(e) Perform Bob's calculations to verify y. 

file:///DIMy%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/ch09/301-303.html (1 of 3)12/6/2003 9:19:52 AM 



Cryptography: Theory and Practice:Identification Schemes 



9.3 Suppose that Alice uses the Schnorr Scheme with p, q, t and oc as in Exercise 9.2. Now 
suppose that v = 51131, and Olga has learned that 

A M! = a 15 V°" (mod p). 

Show how Olga can compute Alice's secret exponent a. 

9.4 Suppose that Alice is using the Okamoto Scheme with q = 1201, p = 122503, t = 10, cx j = 
60497 and oc 2 = 17163. 

(a) Suppose that Alice's secret exponents are a = 432 and a 2 = 423. Compute v. 

(b) Suppose that = 389 and = 191. Compute y. 

(c) Suppose that Bob issues the challenge r = 2l. Compute Alice's response, y and y . 

(d) Perform Bob's calculations to verify y and y . 

9.5 Suppose that Alice uses the Okamoto Scheme with p, q, t, a , and oc 2 as in Exercise 9.4. 
Suppose also that v = 1 19504. 

(a) Verify that 

7f) 1033 877 _ 248 8&3 992 { i \ 

ai Q2 v = ai a-2 v (mod p). 

(b) Use this information to compute bl and b2 such that 

ai ^ b *a?~ b '* = v (mod p). 

(c) Now suppose that Alice reveals that = 484 and a 2 = 935. Show how Alice and Olga 
together will compute as . 

9.6 Suppose that Alice is using the Guillou-Quisquater Scheme with p = 503, q = 379, and b = 
509. 

(a) Suppose that Alice's secret u = 155863. Compute v. 

(b) Suppose that k = 123845. Compute y. 

(c) Suppose that Bob issues the challenge r = 487. Compute Alice's response, y. 

(d) Perform Bob's calculations to verify y. 

9.7 Suppose that Alice is using the Guillou-Quisquater Scheme with n = 199543, b = 523 and v 
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= 146152. Suppose that Olga has discovered that 

t/ &6 101360* = t> 257 36056* (mod n). 

Show how Olga can compute u. 
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Chapter 10 

Authentication Codes 

10.1 Introduction 

We have spent a considerable amount of time studying cryptosystems, which are used to obtain secrecy. 
An authentication code provides a method of ensuring the integrity of a message, i.e., that the message 
has not been tampered with and that it originated with the presumed transmitter. Our goal is to achieve 
this authentication capability even in the presence of an active opponent, Oscar, who can observe 
messages in the channel and introduce messages of his own choosing into the channel. This goal is 
accomplished in the "private-key" setting whereby Alice and Bob share a secret key, K, before any 
message is transmitted. 

In this chapter, we study codes that provide authentication but no secrecy. In such a code, a key is used 
to compute an authentication tag which will enable Bob to check the authenticity of the message he 
receives. Another application of an authentication code is verify that data in a large file has not been 
tampered with. An authentication tag would be stored with the data; the key used to generate and verify 
the authenticator would be stored separately, in a "secure" area. 

We should also point out that, in many respects, an authentication code is similar to a signature scheme 
or to a message authentication code (MAC). The main differences are as follows: The security of an 
authentication code is unconditional, whereas signature schemes and MACs are studied from the point 
of view of computational security. Also, when an authentication code (or a MAC) is used, a message can 
be verified only by the intended receiver. In comparison, anyone can verify a signature using a public 
verification algorithm. 

We now give a formal definition of the terminology we use in the study of authentication codes. 

DEFINITION 10.1 An authentication code is a four-tuple ^ i where the following conditions 

are satisfied: 
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1. S is a finite set of possible source states 

Figure 10.1 Impersonation by Oscar 

2. *A is a finite set of possible authentication tags 

3. K, the key space, is a finite set of possible keys. 

4. For each there is an authentication rule : 

The message set is defined to be Ai = S X A. 

REMARK Note that a source state is analogous to a plaintext. A message consists of a plaintext with an 
appended authentication tag; it could be more precisely referred to as a signed message. Also, an 
authentication rule need not be an injective function. 

In order to transmit a (signed) message, Alice and Bob follow the following protocol. First, they jointly 
choose a random key . This is done in secret, as in a private-key cryptosystem. At a later time, 

suppose that Alice wants to communicate a source state S £ S to Bob over an insecure channel. Alice 
computes a = e(s) and sends the message (s, a) to Bob. When Bob receives (s, a), he computes a = e 

K K 

(s). If d = a, then he accepts the message as authentic; otherwise, he rejects it. 

We will study two different types of attacks that Oscar might carry out. In both of these attacks, Oscar is 
an "intruder-in-the-middle." These attacks described are as follows: 

Impersonation 

Oscar introduces a message (s, a) into the channel, hoping to have it accepted as authentic by 
Bob. This is depicted in Figure 10.1. 
Substitution 

Oscar observes a message (s, a) in the channel, and then changes it to (V, a'), where s ^ s, again 
hoping to have it accepted as authentic by Bob. Hence, he is hoping to mislead Bob as to the 
source state. This is depicted in Figure 10.2. 

Associated with each of these attacks is a deception probability, which represents the probability that 
Oscar will successfully deceive Bob, if he (Oscar) follows an optimal strategy. These probabilities are 
denoted by Pd Q (impersonation) and Pd^ (substitution). In order to compute Pd Q and Pd^ we need to 

specify probability distributions on S and K. These will be denoted by P*> and PfC, respectively. We 
assume that the authentication code and these two probability distributions are known to Oscar. The only 
information that Alice and Bob possess that is not known to Oscar is the value of the key, K. This is 
analogous to the way that we studied the unconditional security of private-key cryptosystems. 
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Figure 10.2 Substitution by Oscar 
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10.2 Computing Deception Probabilities 

In this section, we look at the computation of deception probabilities. We begin with a small example of 
an authentication code. 

Example 10.1 

Suppose 

S = A = S 3 

and 

K = Za x Zj. 

For each {*< i) e & and each S £ (S, define 

gjj (s) — 13 + j mod 3. 

It will be useful to study the authentication matrix, which tabulates all the values e..(s). For each key 

y 

and for each S £ *S, place the authentication tag e (s) in row K and column s of a 

K 

matrix M. The array M is presented in Figure 10.3. 
Suppose that the key is chosen at random, i.e., 

p K {K) = 1/9 

for each . We do not specify the 

probability distribution since it turns out to be immaterial in this example. 



Let's first consider an impersonation attack. Oscar will pick a source state s, and attempt to guess the 
"correct" authentication tag. Denote by K Q the actual key being used (which is unknown to Oscar). Oscar 

will succeed in deceiving Bob if he guesses the tag — ^Kn . However, for any S t o and 
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a € A, it is easy to verify that there are exactly three (out of nine) authentication rules such 
that e(s) = a. (In other words, each symbol occurs three times in each column of the authentication 

K 

matrix.) Hence, it follows that Pd = 1/3. 



key 


0 


1 


2 




0 


0 


° 


(0, 1) 


] 


1 


1 


(0,2} 


2 


2 


2 


M 


0 


I 


2 


(1,1) 


] 


2 


0 


(1,2) 


2 


0 


1 


(2,0) 


0 


2 


1 


(2,1) 


] 


0 


2 


£2,2) ' 


1 


I 


ft ' 



Figure 10.3 An authentication matrix 



Substitution is a bit more complicated to analyze. As a specific case, suppose Oscar observes the 
message (0, 0) in the channel. This does give Oscar some information about the key: he now knows that 



JT 0 6 {(0,0), (1,0), (2,0)}. 

Now suppose Oscar replaces the message (0, 0) with the message (1, 1). Then, he will succeed in his 
deception if and only if K Q = (1, 0). The probability that K Q is the key is 1/3, since the key is known to be 

in the set{(0, 0), (1, 0), (2, 0)}. 



A similar analysis can be done for any substitution that Oscar might make. In general, if Oscar observes 
the message (s, a), and replaces it with any message (s\ a) where s # s, then he deceives Bob with 
probability 1/3. We can see this as follows. Observation of (s, a) restricts the key to one of three 
possibilities. Then, for each choice of (s\ a), there is one key (out of the three possible keys) under 
which a is the authentication tag for 

Let's now discuss how to compute the deception probabilities in general. First, we consider Pd^. As 
above, let K denote the key chosen by Alice and Bob. For S £ S and Ct € A, define payoff {s, d) to be 
the probability that Bob will accept the message (s, a) as being authentic. It is not difficult to see that 



payoff (s y a) = prob(a = e Kc (s)) 
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That is, payoff {s, a) is computing by selecting the rows of the authentication matrix that have entry a in 
column s, and summing the probabilities of the corresponding keys. 

In order to maximize his chance of success, Oscar will choose (s, a) such that payoff (s, a) is a 
maximum. Hence, 

Pdo = max{payoff($ i a) : s € S y a € A}. (10.1) 

Note that Pd Q does not depend on the probability distribution PS 

Pd is more difficult to compute, and it may depend on the probability distribution PS . Let' s first 
consider the following problem: Suppose Oscar observes the message (s, a) in the channel. Oscar will 
substitute some (V, a') for (s, a), where s' ^ s. Hence, for 3 > & € 8 j£ $ anc j ft, a E -4 we define 
payoff {s, a; s, a) to be the probability that a substitution of (s, a) with (V, a') will succeed in deceiving 
Bob. Then we can compute the following: 

payoff(s\a;s,a) = prob{a = e*Y,(s')ja = e Ko (s)) 

probja' ~ ex Q ($ f ) A a — e Ko (s)) 
prob{a ^ ckJs)) 

{A'GK:^(s)=fl ( fi K (0=a'} 

payoff (s, a) 

The numerator of this fraction is found by selecting the rows of the authentication matrix that have the 
value a in column s and the value d in column s , and summing the probabilities of the corresponding 
keys. 

Since Oscar wants to maximize his chance of deceiving Bob, he will compute 
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p s , a = max{payoff (s* , a 1 ; a) : s* € $ t s ^ s\a l G ^4}. 

The quantity /? denotes the probability that Oscar can deceive Bob with a substitution, given that (s, a) 

s >a 

is the message observed in the channel. 

Now, how do we compute the deception probability Pd ? Evidently, we have to compute a weighted 
average of the quantities P with respect to the probabilities PA4 of observing messages (s, a) in 

s 'a 

the channel. That is, we calculate Pd to be 

Pdi = Pm(s,*)p*>*' (10.2) 





1 






■1 


1 


1 


i 






2 


2 






2 






H 


2 


1 



Figure 10.4 An authentication matrix 

The probability distribution is as follows: 

p M {s,a) =p$(s) x p K (<i\s) 

= p$(s)x J2 P*( K ) 

- Ps(s) * payoff (3, a) ^ 

In Example 10.1, 

payoff (s, a) - 1/3 

for all s, a, so Pd Q = 1/3. Also, it can be checked that 

payoff {s f , a* \$,q) = 1/3 

for all s, s', a, a, s # s'. Hence, Pd = 1/3 for any probability distribution PS . (In general, though, Pd 
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will depend on 

Let's look at the computation of Pd Q and Pd^ for a less "regular" example. 
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Example 10.2 

Consider the authentication matrix of Figure 10.4. Suppose the probability distributions on *S and K are 

p$(i) = 1/4, 

1 < i < 4; and 

Bc(l) = l/2,p K (2)=p K (3) = l/4. 

The values payoff (s, a) are as follows: 



payoff (1, 1) 


= 3/4 


payoff (1,2) 


= 1/4 


payoff (2, 1) 


= 1/2 


payoff (2,2) 


= 1/2 


payoff {3,1) 


= 3/4 


payoff (3,2) 


= 1/4 


payoff (4,1) 


= 1/4 


payoff^, 2) 


= 3/4. 



Hence, Pd Q = 3/4. Oscar's optimal impersonation strategy is to place any of the messages (1, 1), (3, 1) or 
(4, 2) into the channel. 

Now we turn to the computation of P d . First, we present the various values payoff (s , a'\ s, a) in the 
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form of a matrix. The entry in row (s, a) and column (V, a) is the value payoff {s, a; s, a). 



(1,1) (1.2) 


(2.1) (2,2) 


(3,1) (3,2) 


(VI) (4,2) 


(1,1) 
(1.2) 




2/3 1/3 
* i 

0 1 


2/3 1/3 
1 0 


1/3 2/3 
1 0 


(2,1) 
(2,2) 


1 0 

1/2 1/2 




0 1 
1/2 1/2 


0 1 
1/2 1/2 


(3,1) 
(3,2) 


2/3 1/3 
1 0 


2/3 1/3 
0 1 




0 1 

1 0 


(4,1) 
(4,2) 


1 0 

2/3 1/3 


0 1 

2/3 1/3 


0 1 

1 0 





Thus we have p l 1 = 2/3, P 22 = 1/2, and P sa = l for all other s, a. It is then a simple matter to evaluate 
Pd = 7/8. An optimal substitution strategy for Oscar is as follows: 

(1.1) -+ (2,1) 

(1.2) -» (2,2) 

(2.1) -> (1,1) 

(2.2) -> (1,1) 

(3.1) -4 (4,2) 

(3.2) -> (1,1) 

(4.1) -+ (1,1) 

(4.2) -> (3,1). 

This strategy indeed yields Pd = 7/8. 

The computation of Pd in Example 10.2 is straightforward but lengthy. We can in fact simplify the 

computation of Pd by observing that we divide by the quantity payoff (s, a) in the computation of p , 
i - .... s ^ 

and then later multiply by payoff (s, a) in the computation of Pd . Of course, these two operations cancel 

each other out. Suppose we define 
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q^a = max 



E 



for all s, a. Then we have the following more concise formula for Pd : 



(10.3) 



10.3 Combinatorial Bounds 

We have seen that the security of an authentication code is measured by the deception probabilities. 
Hence, we want to construct codes so that these probabilities are as small as possible. But other 
considerations are also important. Let's consider the various objectives that we might strive for in an 
authentication code: 

1. The deception probabilities Pd and Pd must be small enough to obtain the desired level of 



2. The number of source states must be large enough so that we can communicate the desired 
information by appending an authentication tag to one source state. 

3. The size of the key space should be minimized, since the value of the key must be 
communicated over a secure channel. (Note that the key must be changed every time a message 
is communicated, as is done with the One-time Pad.) 

In this section, we determine lower bounds on the deception probabilities, which will be computed in 
terms of other parameters of the code. Recall that we have defined an authentication code to consist of a 

four-tuple A, Throughout this section, we will denote Ml = t 

Suppose we fix a source state S € S. Then we can compute: 



security. 



^ payoff (s, a) = ^ ^ 



<i£A a£A {K£tC:c K (s)=n} 




= 1 
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Hence, for every S £ *5, there exists an authentication tag a{s) such that 

payoff (s,a{s)) > j. 

The following theorem follows easily. 
THEOREM 10.1 

Suppose A* i s an authentication code. Then — ^/^, where ^ ~ Ml. Further, 

Pd$ = 1/f if and only if 

£ = 7 00-4) 

for every £ € S t a £ A. 

Now, we turn our attention to substitution. Suppose we fix s, a and s', where s ^ s. Then we have the 
following: 

E 

E pa^(sV;s f a) = E iKe *'* M -™ w '* ,} 

*>€A a'CA E PJC(^) 

{K£X::eK(s)=fl( 

E 

E «cw 

= 1* 

So, there exists an authentication tag a\s\ s, a) such that 
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The next theorem follows as a consequence. 
THEOREM 10.2 



Suppose is an authentication code. Then where 

£ = |.4|. 

Further, 

Pd x = l/l if and only if 



E «c(*> 

W^a'} _ 1 

E p^w ' 



(10,5) 



{K€fC:e K {s) = a } 

for every * ^ ^ fl, tl € *A 
PROOF We have 

Pdl = E PA((*,a)p*,a 

(s t a)€M 1 
_ 1 

~ r 

Further, equality occurs if and only if P**a for ever (s, a). But this is in turn equivalent to the 

condition that P a V°ff[ R * > ; c) — for every (s, a). 

Combining Theorems 10.1 and 10.2, we get the following: 

THEOREM 10.3 
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Suppose A* fC^S) i s an authentication code, where ^ ~ \A\, Then ~ = 1/^ if and 

only if 

{WC:«f((»)=«,«(«')=«'( 



/or every 



s, g 1 € ^ * 3 a, a' € .4 



PROOF Equations (10.4) and (10.5) imply Equation (10.6). Conversely, Equation (10.6) implies 
Equations (10.4) and (10.5). 

If the keys are equiprobable, then we obtain the following corollary: 
COROLLARY 10.4 

Suppose {$+A,iC.S) i s an authentication code where 

t = \A\ 

and keys are chosen equiprobably. 

Then ~ = U ( if and only if 

6 £ : e K {s) = a.ejrf*') = a'} I - 7^ (10,7) 

for every *i € ^ J, a, a' € A 
10.3.1 Orthogonal Arrays 

In this section, we look at the connections between authentication codes and certain combinatorial 
structures called orthogonal arrays. First, we give a definition. 
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Figure 10.5 An OA(3, 3, 1) 

2 

DEFINITION 10.2 An orthogonal array OA(n, k, X) is a Xn x k array ofn symbols, such that in any 

2 

two columns of the array every one of the possible n pairs of symbols occurs in exactly X rows. 

Orthogonal arrays are well-studied structures in combinatorial design theory, and are equivalent to other 
structures such as transversal designs, mutually orthogonal Latin squares and nets. 

In Figure 10.5, we present an orthogonal array OA(3, 3, 1) which is obtained from the authentication 
matrix of Figure 10.3. Any orthogonal array OA(n, k, X) can be used to construct an authentication code 
with Pd = Pd 1 = lln, as stated in the following theorem. 

THEOREM 10.5 

Suppose there is an orthogonal array OA(n, k, X). Then there is an authentication code (^**^< 
where \$\ = 1-4 1 = n, \K\ = An s and Pd = Pd ^ = y n 

PROOF Use each row of the orthogonal array as an authentication rule with equal probability l/(Xn ). 
The correspondences are as follows: 



orthogonal array 


authentication code 


TOW 

column 

symbol 


authentication rule 

source state 
authentication tag 



Since Equation (10.7) is satisfied, we can apply Corollary 10.4, obtaining a code with the stated 
properties. 
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10.3.2 Constructions and Bounds for OAs 

Suppose that we construct an authentication code from an OA(n, k, X). The parameter n determines the 
number of authenticators (i.e., the security of the code), while the parameter k determines the number of 
source states the code can accommodate. The parameter X relates only to the number of keys, which is 

Xn . Of course, the case X = 1 is most desirable, but we will see that it is sometimes necessary to use 
orthogonal arrays with higher values of X. 

Suppose we want to construct an authentication code with a specified source set S, and a specified 
security level e (i.e., so that Pd Q < e and Pd^ < e ). An appropriate orthogonal array will satisfy the 

following conditions: 
1. n > 1/e 

(observe that we can always delete one or more columns from an orthogonal array 

and the resulting array is still an orthogonal array, so we do not require K ~ 
3. X is minimized, subject to the two previous conditions being satisfied. 

Let's first consider orthogonal arrays with X=l. For a given value of n, we are interested in maximizing 
the number of columns. Here is a necessary condition for existence: 

THEOREM 10.6 

Suppose there exists an OA(n, k, 1). Then k<n + 1. 

PROOF Let A be an OA(n, k, 1) on symbol set X = {0, 1, 1 }. Suppose 71 is a permutation of X, 

and we permute the symbols in any column of A according to the permutation n. The result is again an 
OA(n, k, 1). Hence, by applying a succession of permutations of this type, we can assume without loss 
of generality that the first row of A is (00 ... 0). 

We next show that each symbol must occur exactly n times in each column of A. Choose two columns, 
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say c and c, and let x be any symbol. Then for each symbol x, there is a unique row of A in which x 
occurs in column c and x occurs in column c. Letting x vary over X, we see that x occurs exactly n 
times in column c. 

Now, since the first row is (00 ... 0), we have exhausted all occurrences of ordered pairs (0, 0). Hence, 
no other row contains more than one occurrence of 0. Now, let us count the number of rows containing 
at least one 0: the total is 1 + k(n - 1). But this total cannot exceed the total number of rows in A, which 

2 2 

is n . Hence, 1 + kin - 1) < n , so k < n + 1, as desired. 

We now present a construction for orthogonal arrays with X = 1 in which k-n. This is, in fact, the 
construction that was used to obtain the orthogonal array presented in Figure 10.5. 

THEOREM 10.7 

Suppose p is prime. Then there exists an orthogonal array OA(p, p, 1). 

PROOF The array will be ap xp array, where the rows are indexed by p and the columns are 
indexed by ^f. The entry in row (i,j) and column x is defined to be ix + j mod p. 

Suppose we choose two columns, x, y, x ^ y, and two symbols a, b. We want to find a (unique) row (i, j) 
such that a occurs in column x and b occurs in column y of row (i,j). Hence, we want to solve the two 
equations 

a = ix + j 
b = iy+j 

for the unknowns i and j (where all arithmetic is done in the field ^f>). But this system has the unique 
solution 

i — (a — b){x - y}~ 1 mod p 
j — a — ix mod 

Hence, we have an orthogonal array. 

We remark that any OA(n, n, 1) can be extended by one column to form an OA(n, n + 1, 1) (see the 
Exercises). Hence, using Theorem 10.7, we can obtain an infinite class of OA's that meet the bound of 
Theorem 10.6 with equality. 
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Theorem 10.6 tells us that A,>lif£>n+1. We will prove a more general result that places a lower 
bound on X as a function of n and k. First, however, we derive an important inequality that we will use in 
the proof. 

LEMMA 10.8 

Suppose b , b are real numbers. Then 

1 m 



J71 



m 



t=i 



PROOF Apply Jensen's Inequality (Theorem 2.5) with/(x) = -x and a. = 1/m, 1 < i < m. The function/ 
is continuous and concave, so we obtain 



1=1 

which simplifies to give the desired result. 
THEOREM 10.9 

Suppose there exists an OA(«, k, X). Then 



Ttl 



TTL 



X > 



k{n - 1) + 1 



PROOF Let A be an OA(n, k, X) on symbol set X = {0, l,...,n- 1 }, where, without loss of generality, 
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the first row of A (00 ... 0) (as in Theorem 10.6). 



Let us denote the set of rows of A by let r denote the first row, and let . For any row 

r of A, denote by the number of occurrences of 0 in row r. It is easy to count the total number of 

occurrences of 0 in . Since each symbol must occur exactly Xn times in each column of A, we have 



that 



^2 x r - k(Xn - I). 

Now, the number of times the ordered pair (0, 0) occurs in rows in is 

Y avfav - 1) = Y x * - Y x * 



Applying Lemma 10.8, we obtain 



and hence 



^ 2 ^ (k(\n - 1)) 2 



S - 1) > - - 1). 

On the other hand, in any given pair of columns, the ordered pair (0, 0) occurs in exactly X rows. Since 
there are k(k - 1) ordered pairs of columns, it follows that the exact number of occurrences of the ordered 

pair (0, 0) in rows in ft, is (X - l)k(k - 1). We therefore have 

(a - i)k{k - 1) > ^"ly - - 1). 
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and hence 

({A - l)k(k + k(Xn - 1)) (Xn 2 - 1) > (h(Xn - l)) 2 . 

If we divide out a factor of k, we get 

(Xk - k - A + An)(An 2 - 1) > k(Xn - I) 2 . 

Expanding, we have 

X 2 kn 2 - Xkn 2 - AV + A V -Xk + h + \-\n> X 2 kn 2 - 2Xkn + fc. 

This simplifies to give 

~A 2 n 2 + A 2 n 3 > Xkn 2 + Xh - A + Xn - 2\kn i 

or 

A 2 (n 3 - n 2 ) > X(k{n- I) 2 + *- 1). 

Finally, taking out a factor of X(n - 1), we obtain 

Xn 2 > k(n - 1) + 1, 

which is the desired bound. 

Our next result establishes the existence of an infinite class of orthogonal arrays that meet the above 
bound with equality. 

THEOREM 10.10 

Suppose p is prime and d>2is an integer. Then there is an orthogonal array OA(p, (p d - l)l(p - 1), p d ~ 2 ). 
PROOF Denote by the vector space of all J-tuples over **P. We will construct A, an OA(p,(p - 



l)/(p - 1), p ) in which the rows and columns are indexed by certain vectors in . The entries of A 

will be elements of The set of rows is defined to be ; the set of columns is 

C- {(c lt ,,.,e rf ) € (E p )*: 3j,0< j <d- l, Cl = .„ = Cj r =0,^ +1 = 1}, 
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/v consists of all vectors in \ t 3 r so m = r .c consists of all non-zero vectors that have the first 
non-zero coordinate equal to 1 . Observe that 

p - 1 

and that no two vectors in C are scalar multiples of each other. 
Now, for each r £ 7?, and each E 6 £ ? define 

A(F, c) — r - c T 

where • denotes the inner product of two vectors (reduced modulo p). 

We prove that A is the desired orthogonal array. Let &i ^ £ ^ be two distinct columns, and let 
x t y € Sj, \y e w [\\ coun t the number of row T such that -4( r <^) = x and -^(^5) = p Denote 

F — < r l > r i> ■ ■ > & = (*U*2i ■ ■ ■ * and 5 = ( c i * Pi ^ The two equations 

r-fr = x»r-c = jj can be written as two linear equations in ^p: 

biri -f . , . 4* 6dr<f = x 



h 


1.' 
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Figure 10.6 An OA(2, 7, 2) 

This is a system of two linear equations in the d unknowns r , ... r . Since 6 and C are not scalar 

multiples, the two equations are linearly independent. Hence, this system has a solution space of 
dimension d -2. That is, the number of solutions (i.e., the number of rows in which x occurs in column 

v and y occurs in column C ) is p ' , as desired. 
Let's carry out a small example of this construction. 
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Example 10.3 



Suppose we take p = 2, d = 3. Then we will construct an 0A(2, 7, 2). We have 

71 = {000,001,010,011,100,101,110,111} 

and 

C = {001,010,011,100,101,110,111}- 

The orthogonal array in Figure 10.6 results. 

10.3.3 Characterizations of Authentication Codes 



To this point, we have studied authentication codes obtained from orthogonal arrays. Then we looked at 
necessary existence conditions and constructions for orthogonal arrays. One might wonder whether there 
are better alternatives to the orthogonal array approach. However, two characterization theorems tell us 
that this is not the case if we restrict our attention to authentication codes in which the deception 
probabilities are as small as possible. 

We first prove the following partial converse to Theorem 10.5: 
THEOREM 10.11 

Suppose C**s ^s^i fj is an authentication code where 1*^1 = n andPd^ = Pd^ = l/n. Then 1^1 — nI . 
Further, if and only if there is an orthogonal array OA (n, k, 1) where 

\S\ = k 

, and 

P*:(K) - l/n 3 f or every key K £ K. 



PROOF Fix two (arbitrary) source states s and s', s # s, and consider Equation (10.6). For each ordered 
pair {a, a') of authentication tags, define 

= {K £ K : ex(s) = a,e K (s') = a 1 }. 

Then l^a.a' I > 0 f or ev ery pair (a, a'). Also, the n 2 , sets ^a,<i J are disjoint. Hence, 1^1 ^ 71,2 . 

Now, suppose that 1^1 = f3,2 . Then l^.a' I — 1 for every pair (a, a'), and Equation (10.6) tells us that 
Ptc[K) - l/n 5 for every key K £ K. 
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It remains to show that the authentication matrix forms an orthogonal array OA(n, k, 1). Consider the 
columns indexed by the source states s and /. Since \^a,a f I — 1 for every (a, a), we have every 
ordered pair occurring exactly once in these two columns. Since, s and s' are arbitrary, we see that every 
ordered pair occurs exactly once in any two columns. 

The following characterization is more difficult; we state it without proof. 

THEOREM 10.12 

Suppose (*^' A t iC s £) i s an authentication code where 1^1 = ^ Ml = n and Pd Q = Pd^ = lln. Then 

\K\ > k{n — !)+!_ f ur ther, 1^1 — ~ 1) + 1 if and only if there is an orthogonal array OA(n, k, 
X), where X = (k(n - 1) + l)ln, and P>c( K ) = ~ 1) + l )for every key K £ K. 

REMARK Notice that Theorem 10.10 provides an infinite class of orthogonal arrays that meet the bound 
of Theorem 10.12 with equality. 
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10.4 Entropy Bound 

In this section, we use entropy techniques to obtain bounds on the deception probabilities. The first of 
these is a bound on Pd . 

THEOREM 10.13 

Suppose that {^^~A>fC % £) f s an authentication code. Then 

logFdo > JT(K|M)- Jf(K). 

PROOF From Equation (10.1), we have 

Pdo — rnax{payoff(8,a) : s € *5,a € A}. 

Since the maximum of the values payoff (s, a) is greater than their weighted average, we obtain 
Hence, by Jensen's inequality (Theorem 2.5), we have 

log Pdo > log ^2 Pm{$> ®}p<*yoff («» a) 
> Yl PM (s t a) log payoff (s t a). 

s^S^aEA 
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Recalling from Section 10.2 that 

Pm ($,Q>) = Ps(s) * payoff (s, a), 

we see that 

logPdo > ^ Ps (s)payoff (a, a) log payoff (s, a). 

Now, we observe that PQVOffi 3 * a ) ^ PA ( a \ s ) (i.e., the probability that a is the authenticator, given that 
s is the source state). Hence, 

logPdo > Ps( s )PA( a \ 3 ) l0 &P*{ a \ s ) 
= -H(A[S), 

by the definition of conditional entropy. We complete the proof by showing that - H(A\S) = //(KIM) - H 
(K). This follows from basic entropy identities. On one hand, we have 

H(K,A,S) = JT(K|A,S) + tf(A|S) + H(S). 

On the other hand, we compute 

H{K, A, S) = H(A\K, S) + H(K, S) 
- H{K) + H(S)> 

where we use the facts that H(A IK, S) = 0 since the key and source state uniquely determine the 
authenticator, and H(K, S) = H(K) + H(S) since the source and key are independent events. 

Equating the two expressions for H(K, A, S), we obtain 

-ff(A|S) = H(K\A,S) - H{K), 

But a message m = (s, a) is defined to consist of a source state and an authenticator (i.e., 
M $ x A). Hence, //(KIA, S) = //(KIM) and the proof is complete. 
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There is a similar bound for Pd which we will not prove here. It is as follows: 
THEOREM 10.14 

Suppose that *4>/C, £) ( s an authentication code. Then 

log Pd, > H(K\M*) - H(K|M). 

We need to define what we mean by the random variable M . Suppose we authenticate two distinct 
source states using the same key K. In this way, we obtain an ordered pair of message 
( m\ , m?) € x At j n order to define a probability distribution on A"f x J\/t, it is necessary to 
define a probability distribution on S X S, with the stipulation that P3xs($iA) — 0 f or ever y & £ S 
(that is, we do not allow source states to be repeated). The probability distribution on ?C and S X S will 
induce a probability distribution on A1 x Ai, in the same way that the probability distributions on A, 
and $ induce a probability on -M. 

As an illustration of the two bounds, we consider our basic orthogonal array construction and show that 
the bounds of Theorems 10.13 and 10.14 are both met with equality. First, it is clear that 

H(K) = log An 2 , 

since each of the Xn authentication rules are chosen with equal probability. Let's next turn to the 
computation of //(KIM). If any message m = (s, a) is observed, this restricts the possible keys to a subset 
of size Xn. Each of these Xn keys is equally likely. Hence, //(Kim) = log Xn, for any message m. Then, 
we get the following: 

H(K|M) — PM(m)H(K\m) 

m<=M 

= log An. 

Thus we have 

H(K\M) - H(K) = log An - log An 2 = - log n = log Pdo , 

so the bound is met with equality. 

file:///DIMy%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/chl0/321-323.html (3 of 4)12/6/2003 9:20:05 AM 



Cryptography: Theory and Practice:Authentication Codes 



If we observe two messages which have been produced using the same key (and different source states), 
then the number of possible keys is reduced to X. Using similar reasoning as above, we have that H(K\ 
M 2 ) = log X. Then 

H(K\M 2 ) - if (K|M) = log A - log Xn = - log n — log Pd^ , 

so this bound is also met with equality. 

1 0.5 Notes and References 

Authentication codes were invented in 1974 by Gilbert, Mac Williams, and Sloane [GMS74]. Much of 
the theory of authentication codes was developed by Simmons, who proved many fundamental results in 
the area. Two useful survey articles by Simmons are [Sl92] and [Sl88]. Another good survey is Massey 
[MA86]. 

The connections between orthogonal arrays and authentication codes has been addressed by several 
researchers. The treatment here is based on three papers by Stinson [ST88], [St90] and [ST92]. 
Orthogonal arrays have been studied for over 45 years by researchers in statistics and in combinatorial 
design theory. For example, the bound in Theorem 10.9 was first proved by Plackett and Berman in 
1945 in [PB45]. Many interesting results on orthogonal arrays can be found in various textbooks on 
combinatorial design theory such as Beth, Jungnickel, and Lenz [BJL85]. 

Finally, the use of entropy techniques in the study of authentication codes was introduced by Simmons. 
The bound of Theorem 10.13 was first proved in Simmons [Sl85]; a proof of Theorem 10.14 can be 
found in Walker [WA90]. 
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Exercises 

10.1 Compute Pd and Pd for the following authentication code, represented in matrix form: 



key 


1 


2 


3 


4 


1 


I 


1 


2 


3 


2 


1 


2 


3 


1 


3 


2 


1 


3 


] 


4 


2 


3 


1 


2 


5 


3 


2 


] 


3 


6 


3 


3 


2 


1 



The probability distributions on S and are as follows: 

p$(l)= Ps (4) = 1/6,** (2) =ps(3} = 1/3 
PkW = Pk($) = 1/4,^(2} = p*(3) = p,c(4) = Pk (5) = 1/8. 

What are the optimal impersonation and substitution strategies? 

10.2 We have seen a construction for an orthogonal array OA(p, p, 1) when p is prime. Prove 
that this OA(p, p, 1) can always be extended by one extra column to form an OA(p, p + 1, 1). 
Illustrate your construction in the case p = 5. 

10.3 Suppose A is an OA(« , k, A, ) on symbol set { 1, . . ., n } and suppose B is an OA(« 2 , fe, X ) 
on symbol set { 1, . . ., n }. We construct C, an OAO?^, £, A 2 ) on symbol set { 1, . .., n } x { 1, 
. . ., n }, as follows: for each row r = (x , x ) of A and for each row s = (y , y ) of B, 
define a row 
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of C. Prove that C is indeed an OA(n n ,k,X X ). 

v 1 2 1 T 



10.4 Construct an orthogonal array OA(3, 13, 3). 

10.5 Write a computer program to compute H(K), //(KIM) and //(KIM ) for the authentication 
code from Exercise 10.1. The probability distribution on sequences of two sources is as follows: 





= J»js*0,3) 


= p s s(l,4) = 


1/18 






= p s j(2,4) = 


1/9 


Rsi(3, 1) 


= P5=(3,2) 


= p 5 i(3 i 4) = 


1/9 




= Pss(4,2) 


= Ps*<4,3) = 


1/18 



Compare the entropy bounds for Pd and Pd^ with the actual values you computed in Exercise 
10.1. 

HINT To compute P^C^I m ), use Bayes' formula 

pjc{k\m) = 7—: ■ 

PM (m) 

We already know how to calculate . To compute P M write m = (s, a) and then 

observe that PM{m\k) - psU) if e ( s ) = a, and ^ ( m l*0 = 0 otherwise. 

To compute PtfC^farci.Ws), use Bayes' formula 

{k\m u m 2 ) — . 

can be calculated as follows: write m = (s , a ) and m = (s , a ). Then 

1 v 1 r 2 v 2 T 

(Note the similarity with the computation of p(m).) To compute P^( 2 ( m i' m s|k), observe that 
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^2(^1,^1^:) - Ps*(su S2) if M-Sj) = ai and e (s ) = a , and 
p M i (mi , mi\k) - 0 otherwise. 
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Chapter 11 

Secret Sharing Schemes 

11.1 Introduction: The Shamir Threshold Scheme 

In a bank, there is a vault which must be opened every day. The bank employs three senior tellers, but 
they do not trust the combination to any individual teller. Hence, we would like to design a system 
whereby any two of the three senior tellers can gain access to the vault, but no individual teller can do 
so. This problem can be solved by means of a secret sharing scheme, the topic of this chapter. 

l 

Here is an interesting "real-world" example of this situation: According to Time -Magazine , control of 
nuclear weapons in Russia involves a similar "two-out-of-three" access mechanism. The three parties 
involved are the President, the Defense Minister and the Defense Ministry. 



l 

Time Magazine, May 4, 1992, p. 13 



We first study a special type of secret sharing scheme called a threshold scheme. Here is an informal 
definition. 

DEFINITION 11.1 Let t, w be positive integers, t <w. A (t, w) -threshold scheme is a method of 
sharing a key K among a set ofw participants (denoted by r ), in such a way that any t participants can 
compute the value ofK, but no group oft-1 participants can do so. 

Note that the examples described above are (2, 3)-threshold schemes. 

The value of K is chosen by a special participant called the dealer. The dealer is denoted by D and we 

assume & & r . When D wants to share the key K among the participants in 'P , he gives each 
participant some partial information called a share. The shares should be distributed secretly, so no 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/chll/326-329.html (1 of 4)12/6/2003 9:20:08 AM 



Cryptography: Theory and Practice: Secret Sharing Schemes 

participant knows the share given to another participant. 

At a later time, a subset of participants B Q "P will pool their shares in an attempt to compute the key 
K. (Alternatively, they could give their shares to a trusted authority which will perform the computation 
for them.) If LSI > t, then they should be able to compute the value of K as a function of the shares they 
collectively hold; if \B I < t, then they should not be able to compute K. 



I tan 

fc I-!- Ll Jl 111 L-B>l-H- 

■ - £ —I r 
i hiHi^LirBlrfcrLrr. 



Figure 11.1 The Shamir w)-threshold scheme in 
We will use the following notation. Let 

V = {Pi : 1 < i < w] 

be the set of w participants. K is the key set (i.e., the set of all possible keys); and 3 is the share set (i. 
e., the set of all possible shares). 

In this section, we present a method of constructing a (t, w)-threshold scheme, called the Shamir 

Threshold Scheme, which was invented in 1979. Let ^ = where p > w + 1 is prime. Also, let 

S = S r Hence, the key will be an element of ^V, as will be each share given to a participant. The 
Shamir threshold scheme is presented in Figure 1 1 . 1 . In this scheme, the dealer constructs a random 
polynomial a(x) of degree at most t - 1 in which the constant term is the key, K. Every participant P. 

obtains a point (x, y.) on this polynomial. 

Let's look at how a subset B of t participants can reconstruct the key. This is basically accomplished by 
means of polynomial interpolation. We will describe a couple of methods of doing this. 

p. p. 

Suppose that participants ti i * J " + »t want to determine /T. They know that 

1 <j < t, where ^ ^pf^*J j s me (secret) polynomial chosen by D. Since a(x) has degree at most t 

1, «(x) can be written as 
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where the coefficients a , . . . ,a are unknown elements of ^P, and a = K is the key. Since 

o fl o 

Vi } — *i(^tf \ <j <t,B can obtain t linear equations in the t unknowns a , . . . , a , where all 

o f-l 

arithmetic is done in *V. If the equations are linearly independent, there will be a unique solution, and a 
will be revealed as the key. 

Here is a small example to illustrate. 

Example 11.1 

Suppose that p = 17, t = 3, and w = 5; and the public x-co-ordinates are x. = i,\<i<5. Suppose that B = 
{P 1? P , P 5 ) pool their shares, which are respectively 8, 10, and 11. Writing the polynomial a(x) as 

a(x) = no + aii + a 7 z*, 

and computing a(l), a(3) and a(5), the following three linear equations in ^1 7 are obtained: 

a 0 + 3tt x + 9a a - 10 
a Q + 5a] + 8a 2 - 11. 

This system does have a unique solution in °« ~ 13* a* = MX and a 2 = 2 The key is 

therefore K = a Q = 13. 

Clearly, it is important that the system of t linear equations has a unique solution, as in Example 11.1. 
We show now that this is always the case. In general, we have 

1 < j < t, where 

o(z) = oo + flf* + ■ ■ ■ + a^ix t_1 

and 
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a n = K 

The system of linear equations (in *V) is the following: 



oo + ftiXj, + flax*,* + - - - + at-iJ&i,* 1 
GO + &lXi, + «2X^ 2 + . . . + ai_i j:,, 1 ™ 1 



3*1 

3^ 



This can be written in matrix form as follows: 



/ 1 *i t 



1 Xi< 



t-l 



*3 



\ 1 X| f x 4( 



1-1 



V y*. J 



Now, the coefficient matrix A is a so-called Vandermonde matrix. There is a well-known formula for the 
determinant of a Vandermonde matrix, namely 

datA = [7 fat - x h } mod p. 
i <j<(t<i 

Recall that the x.'s are all distinct, so no term l S in this product is equal to zero. The product 

is computed in *V, where /? is prime, which is a field. Since the product non-zero terms in a field is 
always non-zero, we have that det A ^ 0. Since the determinant of the coefficient matrix is non-zero, the 

system has a unique solution over the field *¥. This establishes that any group of t participants will be 
able to recover the key in this threshold scheme. 
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What happens if a group of t - 1 participants attempt to compute Kl Proceeding as above, they will 
obtain a system of t - 1 equations in t unknowns. Suppose they hypothesize a value y Q for the key. Since 

the key is a Q = a(0), this will yield a fth equation, and the coefficient matrix of the resulting system of t 

equations in t unknowns will again be a Vandermonde matrix. As before, there will be a unique solution. 
Hence, for every hypothesized value y of the key, there is a unique polynomial a (x) such that 

U yV 

1 <j < t - 1, and such that 

Hence, no value of the key can be ruled out, and thus a group of t - 1 participants can obtain no 
information about the key. 

We have analyzed the Shamir scheme from the point of view of solving systems of linear equations over 

There is an alternative method, based on the Lagrange interpolation formula for polynomials. The 
Lagrange interpolation formula is an explicit formula for the (unique) polynomial a(x) of degree at most 
t that we computed above. The formula is as follows: 



jml i<k<iM 



It is easy to verify the correctness of this formula by substituting ** : all terms in the summation 

vanish except for the y'th term, which is ^ *j . Thus, we have a polynomial of degree at most t - 1 which 

contains the t ordered pairs t**i ' \ 1 < j < t. We already proved above that this polynomial is unique, 
so the interpolation formula does yield the correct polynomial. 

A group B of t participants can compute a(x) by using the interpolation formula. But a simplification is 
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possible, since the participants in B do not need to know the whole polynomial a(x). It is sufficient for 
them to compute the constant term K = a(0). Hence, they can compute the following expression, which 
is obtained by substituting x = 0 into the Lagrange interpolation formula: 



n 



Suppose we define 



n 



1 <j < t. (Note that these values bj can be precomputed, if desired, and their values are not secret.) Then 
we have 

jnl 

Hence, the key is a linear combination of the t shares. 

To illustrate this approach, let' s recompute the key from Example 11.1. 

Example 11.1 (Con't.) 

The participants {P 1? P , P 5 ) can compute b 2 , and b^ according to the formula given above. For 
example, they would obtain 

b\ = w r mod 17 

= 3 x 5 x (-2)" 1 x t-4)" 1 mod 17 
= 4. 

Similarly, b^ = 3 and b^ = 11. Then, given shares 8, 10, and 11 (respectively), they would obtain 

= 4 x 8 + 3 x 10 + 11 x 11 mod 17 = 13, 

as before. 

The last topic of this section is a simplified construction for threshold schemes in the special case w = t. 
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This construction will work for any key set ^ = with & ~ ^m. (For this scheme, it is not 

required that m be prime, and it is not necessary that m>w+ 1.) If D wants to share the key " £ ^m, 
he carries out the protocol of Figure 1 1.2. 

i r — L n tj ii i, j i_m_lv . i j_i ii, 

r t ■ 


Figure 11.2 A (t, O-threshold scheme in 

Observe that the t participants can compute K by the formula 

i 

Can t-l participants compute Kl Clearly, the first t - 1 1 participants cannot do so, since they receive t - 
1 independent random numbers as their shares. Consider the t-l participants in the set , where 1 

<i<t - 1. These t-l participants possess the shares 

Vl \ ■ - iVi-lyVi+lt ' ■ "i yt-l 

and 

t-i 

By summing their shares, they can compute K - y . However, they do not know the random value y , and 
hence they have no information as to the value of K. Consequently, we have a (t, O-threshold scheme. 

11.2 Access Structures and General Secret Sharing 

In the previous section, we desired that any t of the w participants should be able to determine the key. A 
more general situation is to specify exactly which subsets of participants should be able to determine the 
key and which should not. Let T be a set of subsets of r ; the subsets in T are those subsets of 
participants that should be able to compute the key. T is called an access structure and the subsets in F 
are called authorized subsets. 

Let be the key set and let \> be the share set. As before, when a dealer D wants to share a key 

, he will give each participant a share from $ . At a later time a subset of participants will 
attempt to determine K from the shares they collectively hold. 
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DEFINITION 11.2 A perfect secret sharing scheme realizing the access structure T is a method of 
sharing a key K among a set ofw participants (denoted by r ), in such a way that the following two 
properties are satisfied: 

1. If an authorized subset of participants, ^ — ^ pool their shares, then they can determine 
the value ofK. 

2. If an unauthorized subset of participants & C *P pool their shares, then they can determine 
nothing about the value ofK. 

Observe that a (t, w)-threshold scheme realizes the access structure 

{BCP:\B\> t} 

Such an access structure is called a threshold access structure. We showed in the previous section that 
the Shamir scheme is a perfect scheme realizing the threshold access structure. 

We study the unconditional security of secret sharing schemes. That is, we do not place any limit on the 
amount of computation that can be performed by an unauthorized subset of participants. 

Suppose that B e T and B Q C Q P. Suppose the subset C wants to determine K. Since B is an 
authorized subset, it can already determine K. Hence, the subset C can determine K by ignoring the 
shares of the participants in C\B. Stated another way, a superset of an authorized set is again an 
authorized set. What this says is that the access structure should satisfy the monotone property: 

if B € T and B C C C V, Ihen C € V. 

In the remainder of this chapter, we will assume that all access structures are monotone. 
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If r is an access structure, then Be F is a minimal authorized subset if A £ F whenever 

A C B, A ^ B set 0 f m i n i ma i authorized subsets of F is denoted r Q and is called the basis of F. 

Since F consists of all subsets of r that are supersets of a subset in the basis r , F is determined 
uniquely as a function of F . Expressed mathematically, we have 



r = {CCPiBCC,B€ To} 



We say that r is the closure of r Q and write 



r = d(r 0 ). 

Example 11.2 

T 0 - {{P, ,Pi,P<}, {PuPs, A}, {^2, ft }} 

Then 



Suppose 



Conversely, given this access structure F, it is easy to see that r Q consists of the minimal subsets in F. 

In the case of a (t, w)-threshold access structure, the basis consists of all subsets of (exactly) t 
participants. 



11.3 The Monotone Circuit Construction 
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In this section, we will give a conceptually simple and elegant construction due to Benaloh and Leichter 
that shows that any (monotone) access structure can be realized by a perfect secret sharing scheme. The 
idea is to first build a monotone circuit that "recognizes" the access structure, and then to build the secret 
sharing scheme from the description of the circuit. We call this the monotone circuit construction. 

Suppose we have a boolean circuit C, with w boolean inputs, jc^ . . . , jc (corresponding to the w 

participants P^, . . . , P ), and one boolean output, y. The circuit consists of "or" gates and "and" gates; 

we do not allow any "not" gates. Such a circuit is called a monotone circuit. The reason for this 
nomenclature is that changing any input x from "0" (false) to "1" (true) can never result in the output y 

changing from "1" to "0." The circuit is permitted to have arbitrary fan-in, but we require fan-out equal 
to 1 (that is, a gate can have arbitrarily many input wires, but only one output wire). 

If we specify boolean values for the w inputs of such a monotone circuit, we can define 

B(Xu-^Xur) = [Pi ■ *i = 1}, 

i.e., the subset of P corresponding to the true inputs. Suppose C is a monotone circuit, and define 

r[C) - x u .) :C(n,.. - 1}, 

where C ) denotes the output of C, given inputs jc jc . Since the circuit C is monotone, 

1 w 1 w 

it follows that T(C) is a monotone set of subsets of . 

It is easy to see that there is a one-to-one correspondence between monotone circuits of this type and 
boolean formulae which contain the operators A ("and") and V ("or"), but do not contain any 
negations. 



If r is a monotone set of subsets of *P , then it is easy to construct a monotone circuit C such that T(C) = 
r. One way to do 

boolean formula 



r. One way to do this is as follows. Let T Q be the basis of T. Then construct the disjunctive normal form 



V t A 

In Example 1 1 .2, where 

T» = {{P, , /V fi, } , {i 3 , , P», Pa } , {Pi. p» } }, 
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we would obtain the boolean formula 

(Pi A P % A P A ) V (Pi A P 3 A P 4 ) V (P 2 A P 3 ). (11. i) 

Each clause in the boolean formula corresponds to an "and" gate of the associated monotone circuit; the 
final disjunction corresponds to an "or" gate. The number of gates in the circuit is ir I + 1. 

Suppose C is any monotone circuit that recognizes F (note that C need not be the circuit described 
above.) We describe an algorithm which enables D, the dealer, to construct a perfect secret sharing 
scheme that realizes T. This scheme will use as a building block the (t, 0-schemes constructed in Figure 

1 1.2. Hence, we take the key set to be ^ — &Jm for some integer m. 
The algorithm proceeds by assigning a value 

/(IV) € K. 

to every wire W in the circuit C. Initially, 
the output wire W of the circuit is assigned the value K, the key. The algorithm iterates a number of 

out 

times, until every wire has a value assigned to it. Finally, each participant P. is given the list of values/ 
(W) such that Wis an input wire of the circuit which receives input x.. 

A description of the construction is given in Figure 1 1.3. Note that, whenever a gate G is an "and" gate 
having (say) t input wires, we share the "key"/(W ) among the input wires using a (t, O-threshold 

scheme. 

Let's carry out this procedure for the access structure of Example 1 1.2, using the circuit corresponding 
to the boolean formula (11.1). 
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Example 11.3 

We illustrate the construction in Figure 1 1 .4. Suppose K is the key. The value K is given to each of the 
three input wires of the final "or" gate. Next, we consider the "and" gate corresponding to the clause 

Pi A Pi A P\ three input wires are assigned values a^, a^, K - « J - a , respectively, where all 

arithmetic is done in ^*n. In a similar way, the three input wires corresponding to Pi A /^i A J7* are 
assigned values b^ b , K-b^ - b . Finally, the two input wires corresponding to ft A ft are assigned 

values c, K - c. Note that a,, a. b^, b n and c, are all independent random values in ^"a. If we look at 

i 1 12 12 1 r 

the shares that the four participants receive, we have the following: 

1. P receives a , b . 

2. P receives a , c . 

2 2 1 

3. P^ receives b 2 , K- c^. 

4. P A receives K - a, - a.K-b^ - b. 

4 12 12 



W*-d - F 

i ■ ._ 

•— ■ ■ ■ — 7 — ■ -•— .■ ■ 1 1 - 

F^-| - «MJ « HS ■ 



. - I - II— . -H -i 



Figure 11.3 The monotone circuit construction 

Thus, every participant receives two elements of ^ m as his or her share. 

Let's prove that the scheme is perfect. First, we verify that each basis subset can compute K. The 
authorized subset {P , P , P^} can compute 

K = 4| + dj + {Jf - &i - oa) mod in. 
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The subset {P^, P , PJ can compute 

K = bt + k +■ (If - 6| - bi) mod m. 

Finally, the subset [P^, P^} can compute 

K — Cj + {K - c\ ) mod m. 




Figure 11.4 A monotone circuit 

Thus any authorized subset can compute K, so we turn our attention to the unauthorized subsets. Note 
that we do not need to look at all the unauthorized subsets. For, if and are both unauthorized 

1 2 

subsets,^ 1 — and B cannot compute K, then neither can B compute K. Define a subset B - ^ 

to be a maximal unauthorized subset if B^ g r for all ^ B+ Bi ^ B j t follows that it suffices to 

verify that none of the maximal unauthorized subsets can determine any information about K. Here, the 
maximal unauthorized subsets are 

In each case, it is easy to see that K cannot be computed, either because some necessary piece of 
"random" information is missing, or because all the shares possessed by the subset are random. For 
example, the subset {P , P 2 ) possesses only the random values a , b , a , c . As another example, the 

subset {P^, PJ possesses the shares b^ K - c J? K - a^ - K - b^ - b^. Since the values of c j5 a , a^ and 

b are unknown random values, K cannot be computed. In each possible case, an unauthorized subset 

has no information about the value of K. 

We can obtain a different scheme realizing the same access structure by using a different circuit. We 
illustrate by returning again to the access structure of Example 1 1.2. 

Example 11.4 
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Suppose we convert the formula (11.1) to the so-called conjunctive normal form: 

{P\ V P 2 ) A {Pi V /Y) A {}\ V P-,) A (P, V Ft) A (P 3 V P A ) r (11.2) 

(The reader can verify that this formula is equivalent to the formula (1 1.1).) If we implement the scheme 
using the circuit corresponding to formula (1 1.2), then we obtain the following: 

1. P, receives a , a. 

1 1 2 

2. P receives a A ,a.a. 

2 1' 3 4 

3. P receives a , a , K - a -a -a - a . 

3 2 3 1 2 3 4 

4. P^ receives a,, K- - a - a„ - « . 

4 4' 12 3 4 

We leave the details for the reader to check. 

We now prove that the monotone circuit construction always produces a perfect secret sharing scheme. 
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THEOREM 11.1 

Let C be any monotone boolean circuit. Then the monotone circuit construction yields a perfect secret 
sharing scheme realizing the access structure T(C). 

PROOF We proceed by induction on the number of gates in the circuit C. If C contains only one gate, 
then the result is fairly trivial: If C consists of one "or" gate, then every participant will be given the key. 
This scheme realizes the access structure consisting of all non-empty subsets of participants. If C 
consists of a single "and" gate with t inputs, then the scheme is the (t, 0-threshold scheme presented in 
Figure 11.2. 

Now, as an induction assumption, suppose that there is an integer j > 1 such that, for all circuits C with 
fewer than j gates, the construction produces a scheme that realizes T(C). Let C be a circuit on j gates. 
Consider the "last" gate, G, in the circuit; again, G could be either an "or" gate or an "and" gate. Let' s 
first consider the case where G is an "or" gate. Denote the input wires to G by W , 1 < i < t. These t input 

wires are the outputs of t sub-circuits of C, which we denote C , 1 < i < t. Corresponding to each C , we 

i i 

have a (sub-)scheme that realizes the access structure TC , by induction. Now, it is easy to see that 

i 

Since every W is assigned the key K, it follows that the scheme realizes T(C), as desired. 

The analysis is similar if G is an "and" gate. In this situation, we have 

t 

r(C) = f|r c , 

lag 

Since the key K is shared among the t wires W. using a (t, 0-threshold scheme, it follows again that the 
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scheme realizes T(C). This completes the proof. 

Of course, when an authorized subset, B, wants to compute the key, the participants in B need to know 
the circuit used by D to distribute shares, and which shares correspond to which wires of the circuit. All 
this information will be public knowledge. Only the actual values of the shares are secret. The algorithm 
for reconstructing the key involves combining shares according to the circuit, with the stipulation that an 
"and" gate corresponds to summing the values on the input wires modulo m (provided these values are 
all known), and an "or" gate involves choosing the value on any input wire (with the understanding that 
all these values will be identical). 

11.4 Formal Definitions 

In this section, we will give formal mathematical definitions of a (perfect) secret sharing scheme. We 
represent a secret sharing scheme by a set of distribution rules. A distribution rule is a function 

/ : V $. 

A distribution rule represents a possible distribution of shares to the participants, where /(P.) is the share 
given to P , 1 < i < w. 

i 

Now, for each K € K r let be a set of distribution rules, will be distribution rules corresponding 
to the key having the value K. The sets of distribution rule *K are public knowledge. 

Next, define 

is the complete set of distribution rules of the scheme. If K G is the value of the key that D 
wishes to share, then D will choose a distribution rule , and use it to distribute shares. 

This is a completely general model in which we can study secret sharing schemes. Any of our existing 
schemes can be described in this setting by determining the possible distribution rules which the scheme 
will use. The fact that this model is mathematically precise makes it easier to give definitions and to 
present proofs. 

It is useful to develop conditions which ensure that a set of distribution rules for a scheme realizes a 
specified access structure. This will involve looking at certain probability distributions, as we did 
previously when studying the concept of perfect secrecy. To begin with, we suppose that there is a 

probability distribution on & . Further, for every K £ D, D will choose a distribution rule in 
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according to a probability distribution ^^h 

Given these probability distributions, it is straightforward to compute the probability distribution on the 
list of shares given to any subset of participants, B (authorized or unauthorized). This is done as follows. 

Suppose ^ £ ^ . Define 

$(B) = {f\ B :f€X], 

where the function f\ denotes the restriction of the distribution rule/to B. That is, ' ^ ~* ^ is 
defined by 

for all P. g B. Thus, 

S(B) 

is the set of possible distributions of shares to the participants in B. 
The probability distribution on *^(^), denoted is computed as follows: Let ^ Then 



Also 



for all fs G 5(1?) ^ K € K. 

Here now is a formal definition of a perfect secret sharing scheme. 
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DEFINITION 11.3 Suppose Y is an access structure and ^ ~ ^KtK^K i s a set of distribution 

rules. The ^ is a perfect secret sharing scheme realizing the access structure T provided that the 
following two properties are satisfied: 

1. For any authorized subset of participants & £ there do not exist two distribution rules 
f ^ and $ ^ •FfC* with K ^ K', such thatf B = f\ B - (That is, any distribution of shares 

to the participants in an authorized subset B determines the value of the key.) 

B r 1) 

2. For any unauthorized subset of participants ^ — ' and for any distribution of shares 

f& € So, PKWfii) - P^W far every K 6 K. (That is, the conditional probability 
distribution on fC , given a distribution of shares f to an unauthorized subset B, is the same as 

the a priori probability distribution on K>. In other words, the distribution of shares to B 
provides no information as to the value of the key.) 



Figure 11.5 Distribution rules for a secret sharing scheme 

Observe that the second property in Definition 1 1.3 is very similar to the concept of perfect secrecy; this 
similarity is why the resulting secret sharing scheme is termed "perfect." 

Note that the probability 1 >K ' ^ ^ ^ li ) can be computed from probability distributions exhibited above 
using Bayes' theorem: 



P«(ff|/fl) = 
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Let us now illustrate these definitions by looking at a small example. 
Example 11.5 

We will present the distribution rules for the scheme constructed in Example 11.4 when it is 

implemented in Each of ^"0 and *1 contains 16 equiprobable distribution rules. For conciseness, 

we replace a binary fc-tuple by an integer between 0 and 2 - 1 . If this is done, then and are as 
depicted in Figure 1 1.5, where each row represents a distribution rule. 

This yields a perfect scheme for any probability distribution on the keys. We will not perform all 
the verifications here, but we will look at a couple of typcial cases to illustrate the use of the two 
properties in Definition 1 1.3. 

The subset {P 2 , P^} is an authorized subset. Thus the shares that P 2 and P^ receive should (together) 
determine a unique key. It can easily be checked that any distribution of shares to these two participants 
occurs in a distribution rule in at most one of the sets and . For example, if P 2 has the share 3 and 

P 3 has the share 6, then the distribution rule must be the eighth rule in ^9 and thus the key is 0. 

On the other hand, B = {P , P^} is an unauthorized subset. It is not too hard to see that any distribution 

of shares to these two participants occurs in exactly one distribution rule in and in exactly one 
distribution rule in . That is, 

P${B)Ull\K ) = ^ 

for any f n an d for = 0, 1. Next, we compute 

#f=0 

i 

Now, we use Bayes' theorem to compute 
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P*:{K\f») = 



so the second property is satisfied for this subset B. 

Similar computations can be performed for other authorized and unauthorized sets, and in each case the 
appropriate property is satisfied. Hence we have a perfect secret sharing scheme. 

11.5 Information Rate 

The results of Section 11.3 prove that any monotone access structure can be realized by a perfect secret 
sharing scheme. We now want to consider the efficiency of the resulting schemes. In the case of a (t, w)- 
threshold scheme, we can construct a circuit corresponding to the disjunctive normal form boolean 

formula which will have UJ gates. Each participant will receive \t—lf elements of as his or 
her share. This seems very inefficient, since a Shamir (t, w)-threshold scheme enables a key to be shared 
by giving each participant only one "piece" of information. 

In general, we measure the efficiency of a secret sharing scheme by the information rate, which we 
define now. 

DEFINITION 11.4 Suppose we have a perfect secret sharing scheme realizing an access structure T. 
The information rate for P. is the ratio 




(Note that denotes the set of possible shares that P. might 

information rate of the scheme is denoted by p and is defined as 



receive; of course £ s * The 



p = mm{pi : 1 < i < w}. 



The motivation for this definition is as follows. Since the key K comes from a finite set " , we can think 
of K as being represented by a bit-string of length Ic] Sj 1^1, by using a binary encoding, for example. In a 
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similar way, a share given to P. can be represented by a bit-string of length 1*5(^)1. Intuitively, P. 

receives bits of information (in his or her share), but the information content of the key is 

1^1 bits. Thus p is the ratio of the number of bits in a share to the number of bits in the key. 

i 

Example 11.6 

Let's look at the two schemes from Section 1 1.2. The scheme produced in Example 11.3 has 

_ log 2 ra _ 1 
^ ]og 2 m.' 2 2 

However, in Example 1 1.4, we get a scheme with 

_ log a m _ 1 
^ log 2 m 3 3 

Hence, the first implementation is preferable. 

In general, if we construct a scheme from a circuit C using the monotone circuit construction, then the 
information rate can be computed as indicated in the following theorem. 
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THEOREM 11.2 

Let C be any monotone boolean circuit. Then there is a perfect secret sharing scheme realizing the 
access structure T(C) having information rate 

p — max{l/rj : 1 < i < w} 

where r. denotes the number of input wires to C carrying the input x.. 

With respect to threshold access structures, we observe that the Shamir scheme will have information 
rate 1, which we show below is the optimal value. In contrast, an implementation of a (t, w)-threshold 

scheme using a disjunctive normal form boolean circuit will have information rate ' * which is 
much lower (and therefore inferior) if 1 < t < w. 

Obviously, a high information rate is desirable. The first general result we prove is that p < 1 in any 
scheme. 

THEOREM 11.3 

In any perfect secret sharing scheme realizing an access structure T, p < 1. 

PROOF Suppose we have a a perfect secret sharing scheme that realizes the access structure r. Let B e 
r Q and choose any participant P.e. B. Define B' = B\{P}. Let S € $(&) Now, B' £ T, so the distribution 

of shares gl , provides no information about the key. Hence, for each K there is a distribution 

B 

rule 5 e Tk such that g I , = g\ ,. Since Be T, it must be the case that g K (P)* g K ' (P)ifK* K' . 

B B j j 

Hence, ^ 1^1 and thus p < 1. 

Since p = 1 is the optimal situation, we refer to such a scheme an ideal scheme. The Shamir schemes are 
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ideal schemes. In the next section, we present a construction for ideal schemes that generalizes the 
Shamir schemes. 

11.6 The Brickell Vector Space Construction 

In this section, we present a construction for certain ideal schemes known as the Brickell vector space 
construction. 

Suppose r is an access structure, and let denote the vector space of all d-tuples over ™P, where p is 
prime and d > 2. Suppose there exists a function 

<b : V -¥ (Z p ) d 

which satisfies the property 

(1,0 0) € ($(Pi) :Pi €B}<*B£T. 




I < i u p & ^ ran l w P". 



Figure 11.6 The Brickell scheme 

In other words, the vector (1, 0, . . . , 0) can be expressed as a linear combination of the vectors in the set 
{§(P) : P. g B) if and only if B is an authorized subset. 

Now, suppose there is a function <j) that satisfies Property (1 1.3). (In general, finding such a function is 
often a matter of trial and error, though we will see some explicit constructions of suitable functions § 
for certain access structures a bit later.) We are going to construct an ideal secret sharing scheme with 
A! = S{P t ) — Z p . 1 < i < w distribution rules of the scheme are as follows: for every vector 
JJ - {fli P . . . ,flrf) 6 define a distribution rule /a ^ -^o] , where 

fc{x) = a ■ <f>{x) 

for every % € and the operation "•" is the inner product modulo p. 

Note that each contains p ' distribution rules. We will suppose that each probability distribution 
P-^ f is equiprobable: Pf* t/) — l/p J 1 for every f ^^K. The Brickell scheme is presented in Figure 



(11.3) 
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11.6 

We have the following result. 
THEOREM 11.4 

Suppose (|) satisfies Property (11.3). Then the sets of distribution rules comprise an ideal 

scheme that realizes T. 

PROOF First, we will show that if B is an authorized subset, then the participants in B can compute K. 
Since 

(1,0,. ..,-0) <= {$(Pi) : Pi € B), 

we can write 

(i,o,...,o)= £ *<HPd 

where each Cl ^ '^p. Denote by s the share given to P . Then 

i i 

where 0> is an unknown vector chosen by D and 

K = (Zi = a • (1,0,, . .,0) 

By the linearity of the inner product operation, 

Thus, it is a simple matter for the participants in B to compute 

K= ^ CiSi. 
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What happens if B is not an authorized subset? Denote by e the dimension of the subspace <(|)(P.) : P. e 
B) (note that e < IB I). Choose any , and consider the system of equations: 

<j>(Pi) a = ^yPi 
(L t 0,.„,0) a = K. 

This is a system of linear equations in the d unknowns . . . , a . The coefficient matrix has rank e + 1, 
since 

(1,0 0) 4 MR) : Pt 6 B) 

Provided the system of equations is consistent, the solution space has dimension d - e - 1 (independent of 

d e i r- 

the value of K). It will then follow that there are precisely p distribution rules in each r K that are 
consistent with any possible distribution of shares to B. By a similar computation as was performed in 

Example 11.5, we see that for every K £ where/ (P) = s. for all P. e B. 

B i i i 



Why is the system consistent? The first IB I equations are consistent, since the vector d chosen by D is a 
solution. Since 

(l,0,...,0)sf MPi):PiZB) 

(as mentioned above) the last equation is consistent with the first IB I equations. This completes the 
proof. 

It is interesting to observe that the Shamir (t, w)-threshold scheme is a special case of the vector space 
construction. To see this, define d = t and let 

<$>{Pi) = (1, Xj, &i , * . . , Xi ) 

for 1 < i < w, where x is the x-coordinate given to P.. The resulting scheme is equivalent to the Shamir 
scheme; we leave the details to the reader to check. 



Here is another general result that is easy to prove. It concerns access structures that have as a basis a 
collection of pairs of participants that forms a complete multipartite graph. A graph G = (V, E) with 
vertex set V and edge set E is defined to be a complete multipartite graph if the vertex set V can be 

partitioned into subsets M i ' * * » t such that {x, y } g E if and only if x e V.,y e V., where i ^ j. The 
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sets V. are called parts. The complete multipartite graph is denoted by " 11 * if 
fV|| 1%i t 1 < i K t complete multipartite graph K l (with £ parts) is in fact a complete 
graph and is denoted 
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THEOREM 11.5 

Suppose G = (V, E) is a complete multipartite graph. Then there is an ideal scheme realizing the access 
structure cl (E) on participant set V. 

PROOF Let M i ■ - ■ i ^ be the parts of G. Let 1 * * * ' ^ be distinct elements of where 
P — ^. Let d = 2. For every participant v e V, define (|)(v) = (%., 1). 

It is straightforward to verify Property (1 1.3). By Theorem 1 1.4, we have an ideal scheme. 

To illustrate the application of these constructions, we will consider the possible access structures for up 
to four participants. Note that it suffices to consider only the access structures in which the basis cannot 
be partitioned into two non-empty subsets on disjoint participant sets. (For example, T Q = { {P^, P^, 

{P^, PJ} can be partitioned as {{P^P^}} u {{P ,P 4 )} so we do not consider it.) We list the non- 

isomorphic access structures of this type on two, three, and four participants in Table 11.1 (the quantities 
p* are defined in Section 11.7). 

Of these 18 access structures, we can already obtain ideal schemes for ten of them using the 
constructions we have at our disposal now. These ten access structures are either threshold access 
structures or have a basis which is a complete multipartite graph, so Theorem 1 1.5 can be applied. One 
such access structure is # 9, whose basis is the complete multipartite graph K 1 . We illustrate in the 

following example. 
Example 11.7 

For access structure # 9, take d = 2, p > 3, and define <|) as follows: 

<KPi) = (o, i) 

Table 11.1 Access structures for at most four participants 
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subsets in T Q 


p* 


comments 


1. 


2 




1 


(2, 2)-threshold 


2. 


3 


p /r P 2 P , 


1 


r 0^1,2 


3. 


3 


P P P P P P 

12' 2 3' 13 


1 


(2, 3)-threshold 


4. 


3 


1 2 3 


1 


(3, 3)-threshold 


5. 


4 


12' 2 3 3 4 


2/3 




6. 


4 


P P P P P P 

12' 13' 14 


1 


W,3 


7. 


4 


P P P P P P P P 

12' 14' 2 3' 3 4 


1 


r =k 

0 2,2 


8. 


4 


P P P P P P P P 

12' 2 3' 2 4' 3 4 


2/3 




9. 


4 


P P P P P P P P P P 

12' 13' 14' 2 3' 2 4 


1 




10. 


4 


P P ,P P ,P P ,P P ,P P ,P P 

12' 13 14' 2 3 2 4' 3 4 


1 


(2, 4)-threshold 


11. 


4 


P P P P P 

12 3' 14 


1 




12. 


4 


P P P P P P P 

1 3 4' 12' 2 3 


2/3 




13. 


4 


P P P P P P P P P 

1 3 4' 1 2' 2 3' 2 4 


2/3 




14. 


4 


P P P ,P P P 

12 3 12 4 


1 




15. 


4 


P P P P P P P P 

12 3' 12 4' 3 4 


1 




16. 


4 


P P P P P P P P P 

12 3' 12 4' 13 4 


1 




17. 


4 


P P P P P P P P P P P P 

12 3' 12 4' 13 4' 2 3 4 


1 


(3, 4)-threshold 


18. 


4 


P P P P 

12 3 4 


1 


(4, 4)-threshold 



= 0,1) 
4>{P 3 )^ (2,1) 

<W0 = (2, 1), 
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Applying Theorem 11.5, an ideal scheme results. 

Eight access structures remain to be considered. It is possible to use ad hoc applications of the vector 
space construction to construct ideal schemes for four of these: # 1 1, # 14, # 15 and # 16. We present the 
constructions for # 1 1 and # 14 here. 

Example 11.8 

For access structure #11, take d = 3, p > 3, and define <|) as follows: 



First, we have 



Also, 



tf(ft) 



(0,1,0) 
(1,0,1) 

to, i.-i) 

(1,1,0). 



*(P0- = (i,i,o) -(<u,rj) 

= (1,0,0). 



^2) + tfOP 3 ) - tf(Pi) - (1,0, 1) + (0, 1, -1) - (0, 1,0) 

= (1>0,0), 



Hence, 



(1,0,0) € (#(F|),#:(ft),#(P»)> 
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and 

(1,0,0)6 <#A),«A)>. 

Now, it suffices to show that 

(1,0,0) * W,):P 4 €.B) 

if B is a maximal unauthorized subset. There are three such subsets B to be considered: {P , P 2 ), {P , 
P^}, and {P 2 , P , PJ. In each case, we need to establish that a system of linear equations has no 
solution. For example, suppose that 

(1,0,0) = a 3 «(ft ) + a 3 <A(F 3 ) + 04*(fi), 

where ^2 > a 3 s € p^ j s equivalent to the system 

&'2 + &4 = 1 

a 3 + a4 = 0 
a 2 - a 3 = 0 + 

The system is easily seen to have no solution. We leave the other two subsets B for the reader to 
consider. 

Example 11.9 

For access structure # 14, take d = 3, p > 2 and define <|) as follows: 

#(J=i) =(0,1,0) 

<MP a ) = (i,o,i) 

#(«) -(0,1.1) 
*«) =(0,1,1). 

Again, Property (1 1.3) is satisfied and hence an ideal scheme results. 

Constructions of ideal schemes for the access structures # 15 and # 16 are left as exercises. In the next 
section, we will show that the remaining four access structures cannot be realized by ideal schemes. 
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11.7 An Upper Bound on the Information Rate 

Four access structures remain to be considered: # 5, # 8, # 12, and # 13. We will see in this section that 
in each case, there does not exist a scheme having information rate p > 2/3. 

Denote by p* = p* (T) the maximum information rate for any perfect secret sharing scheme realizing a 
specified access structure T. The first result we present is an entropy bound that will lead to an upper 

bound on p* for certain access structures. We have defined a probability distribution P£ on K; the 

entropy of this probability distribution is denoted H(K). We have also denoted by the 

probability distribution on the shares given to a subset ** — We will denote the entropy of this 
probability distribution by //(B). 

We begin by giving yet another definition of perfect secret sharing schemes, this time using the language 
of entropy. This definition is equivalent to Definition 11.3. 

DEFINITION 11.5 Suppose T is an access structure and *F is a set of distribution rules. Then T is a 
perfect secret sharing scheme realizing the access structure T provided that the following two properties 
are satisfied: 

1. For any authorized subset of participants ^ — ^ -f(K|B) — 0. 

2. For any unauthorized subset of participants ^ — ^ J?(t£|B) — f 

We will require several entropy identities and inequalities. Some of these results were given in Section 
2.3 and the rest are proved similarly, so we state them without proof in the following Lemma. 

LEMMA 11. 6 

Let X, Y and Z be random variables. Then the following hold: 



(XY) = H(X|Y} + H{Y) 


(11.4) 


H (XY\Z) = #(X|YZ) + H(Y\Z) 


(11.5) 


^{XYIZ) = H (Y|XZ) + H (X|Z) 


(11.6) 


ff(X|Y) > 0 


(11.7) 
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(X|Z) > JJ(X|YZ) (1L8) 
H{XY\Z) > H{Y]Z) (11.9) 

We next prove two preliminary entropy lemmas for secret sharing schemes. 
LEMMA 11.7 

Suppose r is an access structure and 7 is a set of distribution rules realizing T. 
Suppose B £ T and A U 13 € l\ where ^ & - ^ . Then 

i/(A|B) = H(K) + H{A\BK). 

PROOF From Equations 11.5 and 11.6, we have that 

tf(AK]B) = (A|BK) + H(K\B) 

and 

tf(AK|B) = tf(K|AB) + //( A|B), 

so 

H{A\BK) + H(K\B) = H(K\AB) + H(A\B). 

Since, by Property 2 of Definition 1 1.5, we have 

#(K|B) = ff(K), 

and, by Property 1 of Definition 11.5, we have 

H(KfAB) - 0, 

the result follows. 
LEMMA 11.8 

Suppose r is an access structure and is a set of distribution rules realizing T. Suppose A U D $ T 
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where C Jhm R (A|B) = R (A!BK)> 

PROOF As in Lemma 1 1.7, we have that 

tf(A|BK) + //(K|B) = H(K\AB) + //(A|B), 

Since 

H(K\B) = H(K) 

and 

tf(K|AB) = i/(K), 

the result follows. 

We now prove the following important theorem. 
THEOREM 11.9 

Suppose r is an access structure such that 
and 

Let 7 he any perfect secret sharing scheme realizing T. Then H (XY) > 3H (K). 
PROOF We establish a sequence of inequalities: 

H(K) = //(YIWZ) - //(YIWZK) by Lemma 11.7 

< //(YIWZ) by (11.7) 

< //(YIW) by (11.8) 

= //(YIWK) by Lemma 11.8 

< //(XYIWK) by (11.9) 
= //(XI WK) + //(YIWXK) by (1 1.5) 
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< H(XWK) + H(Y\XK) 

= H(XM) - H(K) + H(Y\X) - H(K) 

< H(X) - H(K) + H(Y\X) - H(K) 
= H(XY) - 2H(K) 



by (11.8) 

by Lemma 11.7 



by (11.7) 
by (11.4). 



Hence, the result follows. 
COROLLARY 11.10 

Suppose that T is an access structure that satisfies the hypotheses of Theorem 11.9. Suppose the 
keys are equally probable. Then p < 2/3. 

PROOF Since the keys are equiprobable, we have 



Also, we have that 



//(XY) < H{X) 4- H(Y) 

< log 3 \S(X)\ + lofo \$(Y)\. 



By Theorem 1 1.9, we have that 



H(XY) > $H(K). 



Hence it follows that 



log 2 \S(X)\ + log 2 \S{Y)\ > 3 log 2 ]K\. 



Now, by the definition of information rate, we have 



IoSj \S{X)\ 



and 



o < 



log 2 \K\ 



iog 2 |5(y)|' 
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It follows that 

Z\otem<[vg 2 \S{X)t+\ote\S(Y)\ 

p p 

p 

Hence, p < 2/3. 

For the access structures # 5, # 8, # 12, and #13, the hypotheses of Theorem 1 1.9 are satisfied. Hence, 
p* < 2/3 for these four access structures. 

We also have the following result concerning p* in the case where the access structure has a basis T Q 

which is a graph. The proof involves showing that any connected graph which is not a multipartite graph 
contains an induced subgraph on four vertices that is isomorphic to the basis of access structure # 5 or # 

8. If G = (V, E) is a graph with vertex set V and edge set E, and ^5 ^ then the induced subgraph G 
[V ] is defined to be the graph (V , E ), where 

Ei = {uv € E,u x v € VI}. 
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THEOREM 11.11 

Suppose G is a connected graph that is not a complete multipartite graph. Let T{G) be the access 
structure that is the closure ofE, where E is the edge set of G. Then p*(r(G)) < 2/3. 

PROOF We will first prove that any connected graph that is not a complete multipartite graph must 
contain four vertices w, x, y, z such that the induced subgraph G[w, x, y, z] is isomorphic to either the 
basis of access structure # 5 or # 8. 



c 

Let G denote the complement of G. Since G is not a complete multipartite graph, there must exist three 



vertices x, y, z such that xy, yz e E(G ) and xz e E(G). Define 

d = mm{d G (y > x) y do{VjZ)} } 



where <f denotes the length of a shortest path (in G) between two vertices. Then d > 2. Without loss of 

G 

generality, we can assume that d = d^ (y, x) by symmetry. 

G 



Let 



be a path in G, where y^ = y. We have that 



and 



€ E(G) 
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It follows that G[y ,y , x, z] is isomorphic to the basis of access structure # 5 or # 8, as desired. 

d' 2 d' 1 

So, we can assume that we have found four vertices w, x, y, z such that the induced subgraph G[w, x, y, 
z] is isomorphic to either the basis of access structure #5 or # 8. Now, let ^ be any scheme realizing the 
access structure T(G). If we restrict the domain of the distribution rules to { w, x, y, z}, then we obtain a 
scheme f~ l realizing access structure # 5 or # 8. It is also obvious that . Since 

p(J"') < 2/3 j t follows that P(F) ^2/3. This completes the proof. 

Since p* = 1 for complete multipartite graphs, Theorem 11.11 tells us that it is never the case that 2/3 < 
p* < 1 for any access structure that is the closure of the edge set of a connected graph. 

11.8 The Decomposition Construction 

We still have four access structures in Table 1 1.1 to consider. Of course, we can use the monotone 
circuit construction to produce schemes for these access structures. However, by this method, the best 
we can do is to obtain information rate p = 1/2 in each case. We can get p = 1/2 in cases # 5 and # 12 by 
using a disjunctive normal form boolean circuit. For cases # 8 and # 13, a disjunctive normal form 
boolean circuit will yield p = 1/3, but other monotone circuits exist which allow us to attain p = 1/2. But 
in fact, it is possible to construct schemes with p = 2/3 for each of these four access structures, by 
employing constructions that use ideal schemes as building blocks in the construction of larger schemes. 

We present a construction of this type called the "decomposition construction." First, we need to define 
an important concept. 

DEFINITION 11.6 Suppose T is an access structure having basis T . Let K- be a specified key set. An 

ideal fC^decomposition ofT^ consists of a set {1^, . . . rj such that the following properties are 
satisfied: 

1. Tjt C T a for I < k < n 

2. Ut. i r* = r 4 

3. for 1 < k < n, there exists an ideal scheme with key set K, on the subset of participants 

Vk= U B 

for the access structure having basis T . 

k 
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Given an ideal AT-decomposition of an access structure T, we can easily construct a perfect secret 
sharing scheme, as described in the following theorem. 

THEOREM 11.12 

Suppose r is an access structure having basis T . Let ^ be a specified key set, and suppose {T ,...T } is 

v 1 n 

an ideal & -decomposition ofT. For every participant P., define 

R t = \{k-.p, zr k }\ 

Then there exists a perfect secret sharing scheme realizing T, having information rate p 1/R, where 

R = maxjiii : 1 < i < w} 

PROOF For 1 < k < n, we have an ideal scheme realizing the access structure with basis T , with key set 

K, having F k as its set of distribution rules. We will construct a scheme realizing T, with key set K. 
The set of distribution rules 3~ is constructed according to the following recipe. Suppose D wants to 
share a key K. Then, for 1 < k < n, he chooses a random distribution rule f* e -^k and distributes the 
resulting shares to the participants in 

We omit the proof that the scheme is perfect. However, it is easy to compute the information rate of the 
resulting scheme. Since each of the component schemes is ideal, it follows that 



\S(Pi)\ = |K| 



for 1 < i < w. So 



1 

Pi 



ft 1 



and 



P = 



max{R t : I < i < w} 1 
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which is what we were required to prove. 



Although Theorem 1 1.12 is useful, it is often much more useful to employ a generalization in which we 
have £ ideal AT-decompositions of r Q instead of just one. Each of the £ decompositions is used to share 

a key chosen from £ . Thus, we build a scheme with key set & . The construction of the scheme and its 
information rate are as stated in the following theorem. 
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THEOREM 11.13 (Decomposition Construction) 

Suppose r is an access structure having basis T , and ^ — ^ is an integer. Let be a specified key 
set, and for \ ^ - 3 — ^. suppose that ®J ~ 1 m m m *J>i} 

Pit 



is an ideal decomposition ofT . Let 



denote the participant set for the access structure T . For every participant P , define 

j,k 



Then there exists a perfect secret sharing scheme realizaing T, having information rate 
where 



P = £/R 



R = max{/tf ; 1 < i < w}. 

PROOF For — J — and 1 <k<n, we have an ideal scheme realizing the access structure with 

basis r , with key set fC, having ZF^ 1 ^ as its set of distribution rules. We construct a scheme realizing 

j,k 

r, with key set . The set of distribution rules *F is constructed according to the following recipe. 
Suppose D wants to share a key ^ "~ {^l i - - ■ » ^i) Then for ^ ^ J - ^ and 1 < k < n, he 



chooses a random distribution rule 
in 



and distributes the resulting shares to the participants 



The information rate can be computed in a manner similar to that of Theorem 11.12. 
Let's look at a couple of examples. 
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Example 11.10 



Consider access structure # 5. The basis is a graph that is not a complete multi-partite graph. Therefore 
we know from Theorem 11.11 that p* < 2/3. 

Let p be prime, and consider the following two ideal ^^-decompositions: 

t>i - {Fi,! , ri +2 } > 

where 

rij .-{{Pi,/*}} 

and 
where 

Each decomposition consists of a K and a X" , so they are indeed ideal ^^-decompositions. Either of 

them yields a scheme with p = 1/2. However, if we "combine" them by applying Theorem 11.13 with 
£ = 2, then we get a scheme with p = 2/3, which is optimal. 

One implementation of the scheme, using Theorem 1 1.5, is as follows. D will choose four random 
elements (independently) from say b , b , b , and b . Given a key ^ 1 T ^ (^p) , D 
distributes shares as follows: 

1. P receives b , b . 

1 11 21 

2. P receives Z? + A' . Z? , + 

2 11 1 12 21 2 

3. P„ receives b^ + K. b„^, b. 

3 12 1 21 22 

4. P„ receives Z? , Z? + . 

4 12 22 2 
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(All arithmetic is performed in ^P.) 
Example 11.11 

Consider access structure # 8. Again, p* < 2/3 by Theorem 11.11, and two suitable ideal compositions 
will yield an (optimal) scheme with p = 2/3. 

Take ^ for any prime p > 3, and define two ideal ^C-decompositions to be: 



where 



r^ = {[P ii p i h{P2,P*h{P3,P4})> 



and 



where 



r Sl i = {{PuPzh{P*^h{P>.P*}} 

consists of a and a A^, and consists of a ^ and a ^ 3 , so both are ideal "^-decompositions. 
Applying Theorem 11.13 with & = 2, we get a scheme with p = 2/3. 

One implementation, using Theorem 1 1.5, is as follows. D will choose four random elements 
(independently) from ^P, say b .,b, b , and b . Given a key ^ l J ^ , D distributes 

shares as follows: 

1. P receives + K ,b + K . 

1 11 1 21 2 

2. P 2 receives ^12' V 

3. P 3 receives * l2 + K^b^ + K^b^. 
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4. P A receives + 2K. + K. h n + K. 

4 12 1 21 2 22 2 

7 

(All arithmetic is performed in P 

To this point, we have explained all the information in Table 11.1 except for the values of p* for access 
structures #12 and #13. These values arise from a more general version of the decomposition 
construction which we do not describe here; see the notes below. 

11 .9 Notes and References 

Threshold schemes were invented independently by Blakley [BL79] and Shamir [SH79]. Secret sharing 
for general access structures was first studied in Ito, Saito, and Nishizeki [ISN87] ; we based Section 
1 1.2 on the approach of Benaloh and Leichter [BL90]. The vector space construction is due to Brickell 
[BR89A]. The entropy bound of Section 1 1.7 is proved in Capocelli et al. [CDGV93], and some of the 
other material from this section is found in Blundo et al. [BDSV93]. 

In this chapter, we have emphasized a linear-algebraic and combinatorial approach to secret sharing. 
Some interesting connections with matroid theory can be found in Brickell and Davenport [BD91]. 
Secret sharing schemes can also be constructed using geometric techniques. Simmons has done 
considerable research in this direction; we refer to [SI92A] for an overview of geometric techniques in 
secret sharing. Further discussion of these topics, as well as constructions for schemes having 
information rate 2/3 for access structures # 12 and # 13, can be found in the expository paper by Stinson 
[ST92A]. 
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Exercises 

11.1 Write a computer program to compute the key for a Shamir (t, w)-threshold scheme 
7 

implemented in ^P. That is, given t public x-coordinates, x , x , . . . , x , and t y-coordinates 
y , . . . , y , compute the resulting key. Use the Lagrange interpolation method, as it is easier to 
program. 

(a) Test your program if p = 31847, t = 5 and w = 10, with the following 
shares: 



x l = 


413 




: 25439 


X 2 = 


432 


y 2 = 


14847 


X 3 = 


451 


y, -- 


24780 


\ = 


470 


^4 = 


: 5910 


X 5 = 


489 


^5 = 


12734 


\ = 


508 


>i = 


12492 


X l = 


527 


y 2 = 


12555 


\ = 


546 


>3 = 


128578 


X 9 = 


565 


^4 = 


: 20806 


x m = 


584 


^5 = 


21462 



Verify that the same key is computed by using several different subsets of five shares. 

(b) Having determined the key, compute the share that would be given to a participant 
with x-coordinate 10000. (Note that this can be done without computing the whole secret 
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polynomial a(x).) 

11.2 A dishonest dealer might distribute "bad" shares for a Shamir threshold scheme, i.e., shares 
for which different ^-subsets determine different keys. Given all w shares, we could test the 

consistency of the shares by computing the key for every one of the \t/ t-subsets of 
participants, and verifying that the same key is computed in each case. Can you describe a more 
efficient method of testing the consistency of the shares? 

11.3 For access structures having the following bases, use the monotone circuit construction to 
construct a secret sharing scheme with information rate p = 1/3. 

(a) r o = {{P X ,P 2 }, {P 2 ,P 3 }, {P 2 ,P 4 h {^ 3 »^ 4 }}- 

(b) r 0 = {{p lfj p 3 ,p 4 } f {p lf p 2 } f {p 2f i>3} f {p 2f p 4 }}. 

(0 r o = { [p v p 2 }, {P v p 3 }, { p 2 , p 3 , p 4 }, { p 2 , p 4 , p 5 }, { p 3 , p 4 , p 5 } }. 

11.4 Use the vector space construction to obtain ideal schemes for access structures having the 
following bases: 

(a) r 0 ={{P ] ,P r P } )AP l ,P r P 4 l{P y P 4 )}. 

(b) r 0 = {{ p,p 2 ,p 3 ),(p,p 2 ,p 4 },(p,p 3 ,p 4 }}. 

(O r 0 = {{ p v p 2 }, { p r p } }, (p 2 ,p 3 ), iP.P^P,}, lP r P 4 ,P 5 )}- 

11.5 Use the decomposition construction to obtain schemes with specified information rates for 
access structures having the following bases: 

(a) r Q = {{P v P 3 , P 4 }, {P v P 2 }, {P 2 , P 3 }}, p = 3/5. 

(b) r o = {{P v P 3 , P 4 }, {P v P 2 }, {P 2 , P 3 },{P 2 , P 4 }}, p = 4/7. 
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Chapter 12 

Pseudo-random Number Generation 

12.1 Introduction and Examples 

There are many situations in cryptography where it is important to be able to generate random numbers, 
bit-strings, etc. For example, cryptographic keys are to be generated at random from a specified 
keyspace, and many protocols require random numbers to be generated during their execution. 
Generating random numbers by means of coin tosses or other physical processes is time-consuming and 
expensive, so in practice it is common to use a pseudo-random bit generator (or PRBG). A PRBG starts 
with a short random bit-string (a "seed") and expands it into a much longer "random-looking" bit-string. 
Thus a PRBG reduces the amount of random bits that are required in an application. 

More formally, we have the following definition. 

DEFINITION 12.1 Letk,£ be positive integers such that ^ ^ + 1 ( where £ is a specified 
polynomial function ofk). A l A i *'}- pseudo-random bit generator (more briefly, a -PRBG) is a 
function f ■ (^2) ~~ * (^2) that can be computed in polynomial time (as a function of k). The input 
Sq € ) is called the seed, and the output f( s <}} € (^2) is called a pseudo-random bit-string. 

The function /is deterministic, so the bit- string /(s) is dependent only on the seed. Our goal is that the 

pseudo-random bit- string /(s ) should "look like" truly random bits, given that the seed is chosen at 

random. Giving a precise definition is quite difficult, but we will try to give an intuitive description of 
the concept later in this chapter. 

One motivating example for studying this type PRBG is as follows. Recall the concept of perfect secrecy 
that we studied in Chapter 2. One realization of perfect secrecy is the One-time Pad, where the plaintext 
and the key are both bitstrings of a specified length, and the ciphertext is constructed by taking the 
bitwise exclusive-or of the plaintext and the key. The practical difficulty of the One-time Pad is that the 
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key, which must be randomly generated and communicated over a secure channel, must be as long as the 
plaintext in order to ensure perfect secrecy. PRBGs provide a possible way of alleviating this problem. 
Suppose Alice and Bob agree on a PRBG and communicate a seed over the secure channel. Alice and 
Bob can then both compute the same string of pseudo-random bits, which will be used as a One-time 
Pad. Thus the seed functions as a key, and the PBRG can be thought of as a keystream generator for a 
stream cipher. 



Figure 12.1 Linear Congruential Generator 

We now present some well-known PRBGs to motivate and illustrate some of the concepts we will be 
studying. First, we observe that a linear feedback shift register, as described in Section 1.1.7, can be 

k 

thought of as a PRBG. Given a fc-bit seed, an LFSR of degree k can be used to produce as many as 2 - k 
- 1 further bits before repeating. The PRBG obtained from an LFSR is very insecure: we already 
observed in Section 1.2.5 that knowledge of any 2k consecutive bits suffice to allow the seed to be 
determined, and hence the entire sequence can be reconstructed by an opponent. (Although we have not 
yet defined security of a PRBG, it should be clear that the existence of an attack of this type means that 
the generator is insecure!) 

Another well-known (but insecure) PRBG, called the Linear Congruential Generator, is presented in 
Figure 12.1. Here is a very small example to illustrate. 

Example 12.1 

We can obtain a (5, 10)-PRBG by taking M = 31, a = 3 and b = 5 in the Linear Congruential 

Generator. If we consider the mapping 8 1-4 3.5 + 5 mod 31, then 13 ^ 13 , and the other 30 
residues are permuted in a cycle of length 30, namely 0, 5, 20, 3, 14, 16, 22, 9, 1,8, 29, 30, 2, 11,7, 26, 
21, 6, 23, 12, 10, 4, 17, 25, 18, 28, 27, 24, 15, 19. If the seed is anything other than 13, then the seed 
specifies a starting point in this cycle, and the next 10 elements, reduced modulo 2, form the pseudo- 
random sequence. 



Table 12.1Bit-strings produced by the linear 
congruential generator 



seed 


sequence 


0 


1010001101 


1 


0100110101 


2 


1101010001 
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3 


0001101001 


4 


1100101101 


5 


0100011010 


6 


1000110010 


7 


0101000110 


8 


1001101010 


9 


1010011010 


10 


0110010110 


11 


1010100011 


12 


0011001011 


13 


1111111111 


14 


0011010011 


15 


1010100011 


16 


0110100110 


17 


1001011010 


18 


0101101010 


19 


0101000110 


20 


1000110100 


21 


0100011001 


22 


1101001101 


23 


0001100101 


24 


1101010001 


25 


0010110101 


26 


1010001100 


27 


0110101000 


28 


1011010100 


29 


0011010100 


30 


0110101000 



The 31 possible pseudo-random bit-strings produced by this generator are illustrated in Table 12.1. 

We can use some concepts developed in earlier chapters to consrtruct PRBGs. For example, the output 
feedback mode of DES, as described in Section 3.4.1, can be thought of as a PRBG; moreover, it 
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appears to be computationally secure. 



■■-J 1 1- - 1 — 1 1— p-,- l-L-MH 



Figure 12.2 RSA Generator 
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Another approach in constructing very fast PRBGs is to combine LFSRs in some way that the output 
looks less linear. One such method, due to Coppersmith, Krawczyk and Mansour, is called the 
Shrinking Generator. Suppose we have two LFSRs, one of degree and one of k^. We will require a 

total of k^ + k 2 bits as our seed, in order to initialize both LFSRs. The first LFSR will produce a 

sequence of bits, say a , a , . . ., and the second produces a sequence of bits b , b 2 , . . ..Then we define a 

sequence of pseudo-random bits z { , z 2 , ... by the rule 

where i is the position of the kth 1 in the sequence b , b , .... These pseudo-random bits comprise a 

K 1 .Z 

subsequence of the bits produced by the first LFSR. This method of pseudo-random bit generation is 
very fast and is resistent to various known attacks, but there does not seem to be any way to prove that it 
is secure. 

In the rest of this chapter, we will investigate PRBGs that can be proved to be secure given some 
plausible computational assumption. There are PRBGs based on the fundamental problems of factoring 
(as it relates to the RSA public-key cryptosystem) and the Discrete Logarithm problem. A PRBG based 
on the RSA encryption function is shown in Figure 12.2, and a PRBG based on the Discrete Logarithm 
problem is discussed in the exercises. 

We now give an example of the RSA Generator. 



Table 12.2Bits produced by RSA generator 



i 


s. 


z. 


0 


75634 




1 


31483 


1 


2 


31238 


0 


3 


51968 


0 
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4 


39796 


0 


5 


28716 


0 


6 


14089 


1 


7 


5923 


1 


8 


44891 


1 


9 


62284 


0 


10 


11889 


1 


11 


43467 


1 


12 


71215 


1 


13 


10401 


1 


14 


77444 


0 


15 


56794 


0 


16 


78147 


1 


17 


72137 


1 


18 


89592 


0 


19 


29022 


0 


20 


13356 


0 



Example 12.2 

Suppose n = 91261 = 263 x 347, b = 1547, and s = 75364. The first 20 bits produced by the RSA 
Generator are computed as shown in Table 12.2. Hence the bit-string resulting from this seed is 

10000111011110011000. 

12.2 Indistinguishable Probability Distributions 

There are two main objectives of a pseudo-random number generator: it should be fast (i.e., computable 
in polynomial time as a function of k) and it should be secure. Of course, these two requirements are 
often conflicting. The PRBGs based on linear congruences or linear feedback shift registers are indeed 
very fast. These PRBGs are quite useful in simulations, but they are very insecure for cryptographic 
applications. 

Let us now try to make precise the idea of a PRBG being "secure." Intuitively, a string of k m bits 
produced by a PRBG should look "random." That is, it should be impossible in an amount of time that is 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/chl2/362-364.html (2 of 4)12/6/2003 9:20:35 AM 



Cryptography: Theory and Practice:Pseudo-random Number Generation 

polynomial in k (equivalently, polynomial in £■) to distinguish a string of £ pseudo-random bits 
produced by a PRBG from a string of £ truly random bits. 

This motivates the idea of distinguishability of probability distributions. Here is a definition of this 
concept. 

DEFINITION 12.2 Suppose p Q and p l are two probability distributions on the set of bit- strings 

of length Let 

A : (Z,)< -» {0,1} 

be a probabilistic algorithm that runs in polynomial time (as 
a function of£). Let £ > 0. For j = 0, 1, define 

[J "lEtZi* 1 

We s<jy ?/*<atf A w an e-distinguisher ofp Q and p l provided that 

\EaIPo) - £a<Pi)I > e, 

and we say that p Q and p 1 are ^-distinguishable if there exists an E-distinguisher ofp Q and p^ 
REMARK If A is a deterministic algorithm, then the conditional probabilities 

p(A{zi t . . . ,zt) = l\(zi,. . - t zi)) 

always have the value of 0 or 1 . 

The intuition behind this definition is as follows. The algorithm A tries to decide if a bit-string 
of length & is more likely to have arisen from probability distribution p or from 
probability distribution p . This algorithm may use random numbers if desired, i.e., it can be 

probabilistic. The output represents the algorithm's guess as to which of these two 

probability distributions is more likely to have produced, t^I* * * « t %t\ The quantity E (p) represents 

A J 

the average (i.e., expected) value of the output of A over the probability distribution p., for j = 0, 1. This 

is computed by summing over all possible sequences {^i i - ■ * * the product of the probability of the 
^ -tuple { *I i ' ■ * * &t ) and the probability that A answers "1" when given * • >%t) as input. A is an £- 
distinguisher provided that the values of these two expectations are at least e apart. 
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The relevance to PRBGs is as follows. Consider the sequence of £ bits produced by the PRBG. There 
are 2^ possible sequences, and if the bits were chosen independently at random, each of these 2' 
sequences would occur with equal probability 

1/2' 

. Thus a truly random sequence corresponds to an 

equiprobable distribution on the set of all bit-strings of length t . Suppose we denote this probability 
distribution by p . 

Now, consider sequences produced by the PRBG. Suppose a k-bit seed is chosen at random, and then 
the PRBG is used to obtain a bit-string of length £. Then we obtain a probability distribution on the set 
of all bit-strings of length C, which we denote by p . (For the purposes of illustration, suppose we make 

fit 

the simplifying assumption that no two seeds give rise to the same sequence of bits. Then, of the 2 
possible sequences, 2 sequences each occur with probability 1/2 , and the remaining 2 ^ — 2* 

k k 

sequences never occur. So, in this case, the probability distribution p is very non-uniform.) 

Even though the two probability distributions p and p l may be quite different, it is still conceivable that 
they might be ^distinguishable only for small values of 8. This is our objective in constructing PRBGs. 

Example 12.3 

Suppose that a PRBG only produces sequences in which exactly ^/^ bits have the value 0 and ^/^ bits 
have the value 1 . Define the function A by 



x _ / 1 if (21, 
A1 * zt} ~ \ 0 otherwise. 



) has- tft bits equal lo 0 



In this case, the algorithm A is deterministic. It is not hard to see that 
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and 

It can be shown that 

Hence, for any fixed value of £ < 1, p Q and p l are ^distinguishable if £ is sufficiently large. 
12.2.1 Next Bit Predictors 

Another useful concept in studying PRBGs is that of a next bit predictor, which works as follows. Let/ 
bea(M) -PRBG. Suppose we have a probabilistic algorithm B , which takes as input the first i-1 bits 

i 

produced by /(given an unknown seed), say z , . . ., z. , and attempts to predict the next bit z.. The value 
i can be any value such that 0 ^ % ^ £ 1. We say that B is an z-nextbit predictor if B can 

i i 

predict the ith bit of a pseudo-random sequence with probability at least 1/2 + e, where 8 > 0. 

We can give a more precise formulation of this concept in terms of probability distributions, as follows. 

We have already defined the probability distribution p on induced by the PRBG/. We can also 

look at the probability distributions induced by /on any of the £ pseudo-random output bits (or indeed 

on any subset of these £ output bits). So, for 1 — ^ — ^. we will can think of the ith pseudo- 
random output bit as a random variable that we will denote by z . 

i 

In view of these definitions, we have the following characterization of a next bit predictor. 
THEOREM 12.1 

Let fbe a -PRBG. Then the probabilistic algorithm B is an e-next bit predictor for f if and only if 

i 

^2 pitei,- *J>(Zi = BJfci i f _i)) > ^ +f. 
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PROOF The probability of correctly predicting the zth bit is computed by summing over all possible (i - 
l)-tuples (z , ... , z. : ) the product of the probability that the (i - l)-tuple, (z ,. . ., z. ) is produced by the 

PRBG and the probability that the ith bit is predicted correctly given the (i - l)-tuple, (z , ... , z. ). 

The reason for the expression 1/2 + 8 in this definition is that any predicting algorithm can predict the 
next bit of a random sequence with probability 1/2. If a sequence is not random, then it may be possible 
to predict the next bit with higher probability. (Note that it is unnecessary to consider algorithms that 
predict the next bit with probability less than 1/2, because in this case an algorithm that replaces every 
prediction z by 1 - z will predict the next bit with probability greater than 1/2.) 

We illustrate these ideas by producing a next-bit predictor for the Linear Congruential Generator of 
Example 12.1. 

Example 12.1 (Cont.) 

For any i such that 1 < i < 9, Define B (z) = 1 - z. That is, B predicts that a 0 is most likely to be 

i i 

followed by a 1, and vice versa. It is not hard to compute from Table 12.1 that each of these predictors 
B is a (j2-next bit predictor (i.e., they predict the next bit correctly with probability 20/31). 

i 

We can use a next bit predictor to construct a distinguishing algorithm A, as shown in Figure 12.3. The 
input to algorithm A is a sequence of bits, 1 ? * ' * > ^C, and A calls the algorithm B as a 

i 

subroutine. 



I J.-.,*— 



Figure 12.3 Constructing a distinguisher from a next bit predictor 
THEOREM 12.2 

Suppose B is an e-next bit predictor for the 

(kj) 

-PRBGf. Let p be the probability distribution 

i * 

induced on (^2) byf y and let p Q be the uniform probability distribution on ^2) . Then A, as described 
in Figure 12.3, is an z-distinguisher ofp^ and p 



0 



PROOF First, observe that 
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A(zi i ^. i zt) = l^> B»(zi , . . . , Zi-\) — Z{- 

Also, the output of A is independent of the values of 1 5 * " * 1 Thus we can compute as 
follows: 

Ea(pi) = 51 Pi( z i *t) * P(A = z t )) 

Ui uH(L)V 
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On the other hand, any predictor B will predict the zth bit of a truly random sequence with probability 

i 

111. Then, it is not difficult to see that E (p ) = 1/2. Hence \E (p ) - E (pj\ > e, as desired. 

A 0 A 0 A 1 

One of the main results in the theory of pseudo-random bit generators, due to Yao, is that a next bit 
predictor is a universal test. That is, a PRBG is "secure" if and only if there does not exist an 8-next bit 
predictor except for very small values of 8. Theorem 12.2 proves the implication in one direction. To 
prove the converse, we need to show how the existence of a distinguisher implies the existence of a next 
bit predictor. This is done in Theorem 12.3. 

THEOREM 12.3 

Suppose A, is an z-distinguisher ofp^ and p , where p is the probability distribution induced on (^2) 
by the -PRBGf, and p is the uniform probability distribution on x^t) . Then for some i, 
1 — ^ ^ ^ ^- f, there exists an ^ / ^ -next bit predictor B for f. 

i 

PROOF For 0 ^ Z ^ C ? define q. to be a probability distribution on 2) where the first i bits are 
generated using/, and the remaining t — % bits are generated at random. Thus q Q = p Q and 

m — pi . We are given that 

\E A (qo) - E A (q t )\ > €. 

By the triangle inequality, we have that 

\E A (4o) - E A ( qt )\ < ^I^a(^-l) - E A (qt)\. 
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i 1 < i < 9 

Hence, it follows that there is at least one value 6 * A _ * _ such that 



|£a(«~i)-5aMI^ \ 

Without loss of generality, we will assume that 

We are going to construct an ith bit predictor (for this specified value of i). The predicting algorithm is 
probabilistic in nature and is presented in Figure 12.4. Here is the idea behind this construction. The 

predicting algorithm in fact produces an ^-tuple according to the probability distribution q, , given that 

z ,...,z. : are generated by the PRBG. If A answers "0," then it thinks that the ^-tuple was most likely 

generated according to the probability distribution q.. Now q and q. differ only in that the ith bit is 

1 r 1 

generated at random in q j5 whereas it is generated according to the PRBG in q.. Hence, when A 

answers "0," it thinks that the ith bit, z., is what would be produced by the PRBG. Hence, in this case we 

take z as our prediction of the ith bit. If A answers "1," it thinks that z is random, so we take 1 - z. as our 

i ii 

prediction of the ith bit. 

We need to compute the probability that the ith bit is predicted correctly. Observe that if A answers "0," 
then the prediction is correct with probability 



Pl(Zi\(z u .. .,^1)), 



HPI-HHIk _k_d 
■tp h- , .-al-l-l/ — •-rm*m 



Figure 12.4 Constructing a next bit predictor from a distinguisher 

where p is the probability distribution induced by the PRBG. If A answers "1," then the prediction is 
correct with probability 

For brevity, we denote ^ (-^1 j - - ■ i ^jf). In our computation, we will make use of the fact that 
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This can be proved easily as follows: 



r ^ 1 



Now we can perform our main computation: 



pflj = B,[i: 1 J 1 ) 

= E f'-'WW* = ON) * Pl (« 1 1 Ul *-l » 

= E * pCA = OJs) + £ xrfA=l|*) 

- E ^«JKA = IW 

= ^ ^AW-iJ " — j — 

which was what we wanted to prove. 

12.3 The Blum-Blum-Shub Generator 

In this section we describe one of the most popular PRBGs, due to Blum, Blum, and Shub. First, we 
review some results on Jacobi symbols from Section 4.5 and other number- theoretic facts from other 
parts of Chapter 4. 

Suppose p and q are two distinct primes, and let n = pq. Recall that the Jacobi symbol 
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0 if scd{x,n) > 1 
- L if one of ant) £|J| is 1 and the other h -I. 



Denote the quadratic residues modulo n by QR («). That is, 

QR(n) = mod n : i € S* }. 

Recall that x is a quadratic residue modulo n if and only if 

CD- (;)"■ 



Define 



Thus 



An element 



x € QR(n) 



is called a pseudo-square modulo «. 



The Blum-Blum-Shub Generator, as well as some other cryptographic systems, is based on the 
Quadratic Residues problem defined in Figure 12.5. (In Chapter 4, we defined the Quadratic Residues 
problem modulo a prime and showed that it is easy to solve; here we have a composite modulus.) 
Observe that the Quadratic Residues problem requires us to distinguish quadratic residues modulo n 
from pseudo-squares modulo n. This can be no more difficult than factoring n. For if the factorization n 

= pq can be computed, then it is a simple matter to compute W, say. Given that (5)- , it follows that 

x is a quadratic residue if and only if (*) ™ \ 



1-^ :..^,-^d- m - | 

Figure 12.5 Quadratic Residues 



.. .i . ■_ . -— 
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Figure 12.6 Blum-Blum-Shub Generator 



There does not appear to be any way to solve the Quadratic Residues problem efficiently if the 
factorization of n is not known. So this problem appears to be intractible if it is infeasible to factor n. 
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The Blum-Blum-Shub Generator is presented in Figure 12.6. The generator works quite simply. Given 



a seed s e QR(«), we compute the sequence 



by successive squaring modulo n, 



and then reduce each s. modulo 2 to obtain z.. It follows that 



£t = (&9 2 * mod tiJ mod 2 h 



1 <l < 



Table 12.3Bits produced by BBS generator 



i 


s. 


z. 


0 


20749 




1 


143135 


1 


2 


177671 


1 


3 


97048 


0 


4 


89992 


0 


5 


174051 


1 


6 


80649 


1 


7 


45663 


1 


8 


69442 


0 


9 


186894 


0 


10 


177046 


0 


11 


137922 


0 


12 


123175 


1 


13 


8630 


0 
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14 


114386 


0 


15 


14863 


1 


16 


133015 


1 


17 


106065 


1 


18 


45870 


0 


19 


137171 


1 


20 


48060 


0 



We now give an example of the BBS Generator. 

Example 12.4 

Suppose n = 192649 = 383 x 503 and s = 101355 2 mod n = 20749. The first 20 bits produced by the 
BBS Generator are computed as shown in Table 12.3. Hence the bit-string resulting from this seed is 

11001110000100111010. 

Here is a feature of the BBS Generator that is useful when we look at its security. Since n=pq where p 
= q = 3 mod 4, it follows that for any quadratic residue x, there is a unique square root of x that is also a 
quadratic residue. This square root is called the principal square root of x. It follows the mapping 
2 

3F i— ► X mod n used to define the BBS Generator is a permutation on QR(n), the set of quadratic 
residues modulo n. 

12.3.1 Security of the BBS Generator 

In this section, we look at the security of the BBS Generator in detail. We begin by supposing that the 
pseudo-random bits produced by the BBS Generator are ^distinguishable from £ random bits and then 
see where that leads us. Throughout this section, n = pq, where p and q are primes such that p = q = 3 
mod 4, and the factorization n = pq is unknown. 

We have already discussed the idea of a next bit predictor. In this section we consider a similar concept 
that we call a previous bit predictor. A previous bit predictor for a -BBS Generator will take as 
input £ pseudo-random bits produced by the generator (as determined by an unknown random seed s e 
QR(«)), and attempt to predict the value z Q = s Q mod 2. A previous bit predictor can be a probabilistic 
algorithm, and we say that a previous bit predictor B Q is an e-previous bit predictor if its probability of 
correctly guessing z is at least 1/2 + 8, where this probability is computed over all possible seeds s . 
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We state the following theorem, which is similar to Theorem 12.3, without proof. 
THEOREM 12.4 

Suppose A, is an E-distinguisher ofp^ and p , where p^ is the probability distribution induced on 
by the 

{kj) 

-BBS Generator,/ and p^ is the uniform probability distribution on . Then there 

exists an (fif ^-previous bit predictor R^forf. 

We now show how to use an -previous bit predictor, B Q , to construct a probabilistic algorithm that 

distinguishes quadratic residues modulo n from pseudo-squares modulo n with probability 1/2 + 8. This 
algorithm A, presented in Figure 12.7, uses B Q as a subroutine, or oracle. 

THEOREM 12.5 

Suppose B Q is an e-previous bit predictor for the -BBS Generator/ Then the algorithm A, as 
described in Figure 12. 7, determines quadratic residuosity correctly with probability at least 111 + 8, 
where this probability is computed over all possible inputs ^ ^ Q^(^) U QR(fi) 

PROOF Since n= pq and p = q = 3 mod 4, it follows that ( "n" ) ~~ 'so - ^ £ Q^( tt ). Hence, if 
C n) — ^ then the principal square root s = x 2 is x if x e QR(«); and -x if *^ ^ QR\fl} But 

{-x mod n) mod 2^ (x mod n) mod 2, 

so it follows that algorithm A gives the correct answer if and only if B Q correctly predicts z. The result 
then follows immediately. 



Figure 12.7 Constructing a quadratic residue distinguisher from a previous bit predictor 

Theorem 12.5 shows how we can distinguish pseudo-squares from quadratic residues with probability at 
least 1/2 + 8. We now show that this leads to a Monte Carlo algorithm that gives the correct answer with 
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probability at least 1/2 + 8. In other words, for any ^ ^ QR(tt) U QR(ll) t h e Monte Carlo algorithm 
gives the correct answer with probabilty at least 1/2 + 8. Note that this algorithm is an unbiased 
algorithm (it may give an incorrect answer for any input) in contrast to the Monte Carlo algorithms that 
we studied in Section 4.5 which were all biased algorithms. 

The Monte Carlo algorithm A is presented in Figure 12.8. It calls the previous algorithm A as a 
subroutine. 
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THEOREM 12.6 



Suppose that algorithm A determines quadratic residuosity correctly with probability at least 1/2 + 8. 
Then the algorithm A , as described in Figure 12.8, is a Monte Carlo algorithm for Quadratic 

Residues with error probability at most 1/2 + e. 

PROOF For any given input ^ ^ Q^(^) ^ QR(t&) me effect of step 2 in algorithm A J is to produce 
element x that is a random element of Q^(^) U QR(ti) w hose status as a quadratic residue is 



an 
known 



The last step is to show that any (unbiased) Monte Carlo algorithm that has error probability at most 1/2 
+ 8 can be used to construct an unbiased Monte Carlo algorithm with error probability at most 8, for any 
8 > 0. In other words, we can make the probability of correctness arbitrarily close to 1. The idea is to run 
the given Monte Carlo algorithm 2m + 1 times, for some integer m, and take the "majority vote" as the 
answer. By computing the error probability of this algorithm, we can also see how m depends on 8. This 
dependence is stated in the following theorem. 



Figure 12.8 A Monte Carlo algorithm for Quadratic Residues 



THEOREM 12.7 

Suppose A is an unbiased Monte Carlo algorithm with error probability at most 111 + 8. Suppose we 
run A | « = 2m + 1 times on a given instance I, and we take the most frequent answer. Then the error 
probability of the resulting algorithm is at most 
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[1 - 4e a )™ 
2 ' 

PROOF The probability of obtaining exactly i correct answers in the n trials is at most 



The probability that the most frequent answer is incorrect is equal to the probability that the number of 
correct answers in the n trials is at most m. Hence, we compute as follows 



-(H"(H~sC)(iM 

«<wa-r£co 
■o-ro-r- 

-li -«">-(!-.) 



— <2 



as required. 



Suppose we want to lower the probability of error to some value 8, where 0 < 8 < 1/2 - 8. We need to 
choose m so that 



( 1 - < s. 



Hence, it suffices to take 
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771 = — 

l0g 2 (l"4€2) " 

Then, if algorithm A is run 2m + 1 times, the majority vote yields the correct answer with probability at 
least 1 - 8. It is not hard to show that this value of m is at most c/(8e ) for some constant c. Hence, the 
number of times that the algorithm must be run is polynomial in 1/8 and 1/8. 

Example 12.5 

Suppose we start with a Monte Carlo algorithm that returns the correct answer with probability at 
least .55, so 8 = .05. If we desire a Monte Carlo algorithm in which the probability of error is at 
most .05, then it suffices to take m = 230 and n = 461. 

Let us combine all the reductions we have done. We have the following sequence of implications: 




i ■ ■ 1 1 -r ■ ■ I 



Since it is widely believed that there is no polynomial-time Monte Carlo algorithm for Quadratic 
Residues with small error probability, we have some evidence that the BBS Generator is secure. 

We close this section by mentioning a way of improving the efficiency of the BBS Generator. The 
sequence of pseudo-random bits is constructed by taking the least significant bit of each s., where 

&i — *o mod n. Suppose instead that we extract the m least significant bits from each s.. This will 

improve the efficiency of the PRBG by a factor of m, but we need to ask if the PRBG will remain 
secure. It has been shown that this approach will remain secure provided that m < log 2 log 2 n. So we can 

extract about log 2 log 2 n pseudo-random bits per modular squaring. In a realistic implementation of the 
BBS Generator, ^ ^ 10 160 ? so we can extract nine bits per squaring. 

12.4 Probabilistic Encryption 

Probabilistic encryption is an idea of Goldwasser and Micali. One motivation is as follows. Suppose we 
have a public-key cryptosystem, and we wish to encrypt a single bit, i.e., x = 0 or 1. Since anyone can 
compute e (0) and e (1), it is a simple matter for an opponent to determine if a ciphertext y is an 

K K 

encryption of 0 or an encryption of 1 . More generally, an opponent can always determine if the plaintext 
has a specified value by encrypting a hypothesized plaintext, hoping to match a given ciphertext. 
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The goal of probabilistic encryption is that "no information" about the plaintext should be computable 
from the ciphertext (in polynomial time). This objective can be realized by a public-key cryptosystem in 
which encryption is probabilistic rather than deterministic. Since there are "many" possible encryptions 
of each plaintext, it is not feasible to test whether a given ciphertext is an encryption of a particular 
plaintext. 

Here is a formal mathematical definition of this concept. 

DEFINITION 12.3 A probabilistic public-key cryptosystem is defined to be a six-tuple 

i t^rf where *P is the set of plaintexts, 0 is the set of ciphertexts, fC is the key space, 
71 is a set of randomizers, and for each key is a public encryption rule and 

tijf £ 2? i s a secret decryption role. The following properties should be satisfied: 

1. Each * Canddtf ' C -> V are functions such that 

djf(cifC6,r)) = b 

for every plaintext 6 € *P and every T £ 72. (In particular, this implies that 

ejc(a; t r) £ e K {x\r,)ifx # x\ } 



2. Let ebe a specified security parameter. For any fixed and for any X £ P, define 

a probability distribution p onO, where p (y) denotes the probability that y is the ciphertext 

given that K is the key and x is the plaintext ( this probability is computed over all V 
Suppose ^ i & £ x # x, and . Then the probability distributions p v and p v , 

not ^-distinguishable. 



, are 

K,x r K,x 
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Here is how the system works. To encrypt a plaintext x, choose a randomizer T £ 72 and compute y = 
e(x,r). Any such value y = e(x,r) can be decrypted to x. Property 2 is stating that the probability 

K K 

distribution of all encryptions of x cannot be distinguished from the probability distribution of all 
encryptions of x if x ^ x. Informally, an encryption of x "looks like" an encryption of x. The security 

parameter e should be small: in practice we would want to have fc — for some small c> 0. 

We now present the Goldwasser-Micali Probabilistic Public-key Cryptosystem in Figure 12.9. This 
system encrypts one bit at a time. A 0 bit is encrypted to a random quadratic residue modulo n;al bit is 
encrypted to a random pseudo-square modulo n. When Bob recieves an element 

y € QR(fl) U QR(fl) h e can use his knowledge of the factorization of n to determine whether y e 
QR(«) or whether V ^ Q-^{ n ). He does this by computing 



gj = („)!'- »/' mod p; 



then 



■> * (j) = i. 



1 - 4+vr h —I — ariH — .-r»>>i | 



Figure 12.9 Goldwasser-Micali Probabilistic Public-key Cryptosystem 

A more efficient probabilistic public-key cryptosystem was given by Blum and Goldwasser. The Blum- 
Goldwasser Probabilistic Public-key Cryptosystem is presented in Figure 12.10. The basic idea is as 

follows. A random seed s generates a sequence of £ psuedorandom bits ^1 * ' * * T ^£ using the BBS 
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Generator. The z.'s are used as a keystream, i.e., the are exclusive-ored with the £ plaintext bits to form 

the ciphertext. As well, the element 1 #0 mod n is transmitted as part of the 

ciphertext. 

When Bob receives the ciphertext, he can compute s from , then reconstruct the keystream, and 

finally exclusive-or the keystream with the £ ciphertext bits to obtain the plaintext. We should explain 
how Bob derives s from . Recall that each s. 1 is the principal square root of s.. Now, n= pq with 

p = q = 3 mod 4, so the square roots of any quadratic residue x modulo p are ±x (P+1 ^ /4 . Using properties 
of Jacobi symbols, we have that 



= L 

It follows that x (P+1)/4 is the principal square root of x modulo p. Similarly, x (q+1)/4 is the principal square 
root of x modulo q. Then, using the Chinese remainder theorem, we can find the principal square root of 
x modulo n. 



l.i'aJ.- — i ■ L* ii-n 



■ hidMlMllDft 



Figure 12.10 Blum-Goldwasser Probabilistic Public-key Cryptosystem 

More generally, 1 ^ 4 ' will be the principal 2 ^ ^ * S t root of x modulo p and 3f ^* h| " 1 ^ 4 ' will 

be the principal Si root of x modulo q. Since ^j- has order p - 1, we can reduce the exponent 

modulo /? - 1 in the computation 1 ^ 4 ^ mod p. In a similar fashion, we can 

reduce the exponent 

{(7 + l)/4)' 4 

modulo q - 1. In Figure 12.10, having obtained the principal 
2^"*" * Sl roots of ^jf + 1 modulo p and modulo q (steps 1-4 of the decryption process), the Chinese 
remainder theorem is used to compute the principal St root of 1 modulo n. 

Here is an example to illustrate. 
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Example 12.6 

Suppose n = 192649, as in Example 12.4. Suppose further that Alice chooses r = 20749 and wants to 
encrypt the 20-bit plaintext string 

x = 11010011010011101101. 

She will first compute the keystream 

z - 11001110000100111010, 

exactly as in Example 12.4, and then exclusive-or it with the plaintext, to obtain the ciphertext 

y = 00011101010111010111 

which she transmits to Bob. She also computes 

*2i = *20 2 mod n = 94739 

and sends it to Bob. 

Of course Bob knows the factorization n = 383 x 503, so (p + l)/4 = 96 and (q + l)/4 = 126. He begins 
by computing 

oi - ((P +D/4) (+1 mod (p-1) 
= 96 21 mod 382 
= 266 



and 



a 2 = ((g+ l)/4) m mod (g-1) 
= 126 2] mod 502 
= 486. 



Next, he calculates 
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61 = S21 fll mod p 
= 94739 266 mod 383 
= 67 

and 

f?2 = S2 1 tt2 mod g 
= 94739 4SG mod 503 
- 126. 

Now Bob proceeds to solve the system of congruences 

r = 67 (mod 383) 
r = 126 (mod 503) 

to obtain Alice's seed r = 20749. Then he constructs Alice's keystream from r. Finally, he exclusive-ors 
the keystream with the ciphertext to get the plaintext. 

1 2.5 Notes and References 

A lengthy treatment of PRBGs can be found in the book by Kranakis [KR86]. See also the survey paper 
by Lagarias [LA90]. 

The Shrinking Generator is due to Coppersmith, Krawczyk, and Mansour [CKM94] ; another practical 
method of constructing PBRGs using LFSRs has been given by Gunther [GU88]. For methods of 
breaking the Linear Congruential Generator, see Boyar [B089]. 

The basic theory of secure PRBGs is due to Yao [YA82], who proved the universality of the next bit test 
Further basic results can be found in Blum and Micali [BM84] . The BBS Generator is described in 
[BBS86]. The security of the Quadratic Residues problem is studied by Goldwasser and Micali 
[GM84], on which we based much of Section 12.3.1. We have, however, used the approach of Brassard 
and Bratley [BB88A, Section 8.6] to reduce the error probability of an unbiased Monte Carlo algorithm. 

Properties of the RSA Generator are studied in Alexi, Chor, Goldreich, and Schnorr [ACGS88]. 
PRBGs based on the Discrete Logarithm problem are treated in Blum and Micali [BM84], Long and 
Wigderson [LW88], and Hastad, Schrift, and Shamir [HSS93]. A sufficient condition for the secure 
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extraction of multiple bits per iteration of a PRBG was proved by Vazirani and Vazirani [VV84]. 




Figure 12.11 Discrete Logarithm Generator 

The idea of probabilistic encryption is due to Goldwasser and Micali [GM84] ; the Blum-Goldwasser 
Cryptosystem is presented in [BG85]. 
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Exercises 



12.1 Consider the Linear Congruential Generator defined by s, = (as. 1 + b) mod M. Suppose 

that M = qa + 1 where a is odd and q is even, and suppose that b = 1 . Show that the next bit 
predictor B (z) = 1 - z for the i bit is an 8-next bit predictor, where 



1 + 

2 2M ' 

12.2 Suppose we have an RSA Generator with n = 36863, b = 229 and seed s = 25. Compute 
the first 100 bits produced by this generator. 

12.3 A PRBG based on the Discrete Logarithm problem is given in Figure 12.1 1. Suppose p = 
21383, the primitive element a = 5 and the seed s = 15886. Compute the first 100 bits produced 

by this generator. 

12.4 Suppose that Bob has knowledge of the factorization n-pq 'm the BBS Generator. 

(a) Show how Bob can use this knowledge to compute any s. from so with 2k 

multiplications modulo §(ri) and 2k multiplications modulo n, where n has k bits in its 
binary representation. (If i is large compared to k, then this approach represents a 
substantial improvement over the i multiplications required to sequentially compute s , 

s,) 

(b) Use this method to compute s if n = 59701 = 227 x 263 and s = 17995. 

v ' v 10000 0 

Table 12.4Blum-Goldwasser Ciphertext 

E18 66663F17FDBD1DC8C8FD2EEBC3 6AD7F537 95DBA3C9CE22D 
C9A9C7E2A5 64 555 0 13 9 9CA6B98AED22C34 6A52 9A0 9C1 93 6C61 
ECDE10B4 3D22 6EC68 3A6 6 9 92 9F2FFB912BFA9 6A8 3 0218 8C0 8 3 
4 6119E4F61AD8D082 9BD1CDE1E37DBA9BCE65F4 0C0BCE4 8A80 
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0B3D0 8 7D7 6ECD18 0 5C65D9DB7 3 0B8D0 94 32 6 6D942CF0 4D7D4D 
7 6BFA8 91FA21BE7 6F7 67F1D5DCC7E3F1D8 6E3 9A934 8B3 

12.5 We proved that, in order to reduce the error probability of an unbiased Monte Carlo 
algorithm from 1/2 - 8 to 8, where 8 + 8 < 1/2, it suffices to run the algorithm m times, where 

— H 

1 + log 3 S 
jji — . 

log 2 {l-4 f 2) ■ 

Prove that this value of m is 0(1/(88"). 

12.6 Suppose Bob receives some ciphertext which was encrypted with the Blum-Goldwasser 
Probabilistic Public-key Cryptosystem. The original plaintext consisted of English text. Each 
alphabetic character was converted to a bitstring of length five in the obvious way: A 00000, B 

00001, . . ., Z 1 1001. The plaintext consisted of 236 alphabetic characters, so a bitstring of 
length 1 1 80 resulted. This bitstring was then encrypted. The resulting ciphertext bitstring was 
then converted to a hexadecimal representation, to save space. The final string of 295 
hexadecimal characters is presented in Table 12.4. Also, s.. 0 . = 20291 is part of the ciphertext, 

1181 

and n = 29893 is Bob's public key. Bob's secret factorization of n is n = pq, where p = 167 and q 
= 179. 

Your task is to decrypt the given ciphertext and restore the original English plaintext, which was 
taken from "Under the Hammer," by John Mortimer, Penguin Books, 1994. 



Previous 


Table of Contents 


Next 









Copyright © CRC Press LLC 



file:///DI/My%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/chl2/383-384.html (2 of 2)12/6/2003 9:20:48 AM 



Cryptography: Theory and Practice:Zero-knowledge Proofs 



Cryptography: Theory and Practice 

by Douglas Stinson 
CRC Press, CRC Press LLC 
ISBN: 0849385210 Pub 
Date: 03/17/95 



Previous 


Table of Contents 


Next 









Chapter 13 

Zero-knowledge Proofs 

13.1 Interactive Proof Systems 

Very informally, a zero-knowledge proof system allows one person to convince another person of some 
fact without revealing any information about the proof. We first discuss the idea of an interactive proof 
system. In an interactive proof system, there are two participants, Peggy and Vic. Peggy is the prover 
and Vic is the verifier. Peggy knows some fact, and she wishes to prove to Vic that she does. 

It is necessary to describe the kinds of computations that Peggy and Vic will be allowed to perform, and 
also to describe the interaction that takes place. It is convenient to think of both Peggy and Vic as being 
probabilistic algorithms. Peggy and Vic will each perform private computations, and each of them has a 
private random number generator. They will communicate to each other through a communication 
channel. Initially, Peggy and Vic both possess an input x. The object of the interactive proof is for Peggy 
to convince Vic that x has some specified property. More precisely, x will be a yes-instance of a 
specified decision problem II. 

The interactive proof, which is a challenge-and-response protocol, consists of a specified number of 
rounds. During each round, Peggy and Vic alternately do the following: 

1. receive a message from the other party 

2. perform a private computation 

3. send a message to the other party. 

A typical round of the protocol will consist of a challenge by Vic, and a response by Peggy. At the end 
of the proof, Vic either accepts or rejects, depending on whether or not Peggy successfully replies to all 
of Vic's challenges. We define the protocol to be an interactive proof system for the decision problem II 
if the following two properties are satisfied whenever Vic follows the protocol: 
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Figure 13.1 Graph Isomorphism 



completeness 

If x is a yes-instance of the decision problem II, then Vic will always accept Peggy's proof, 
soundness 

If x is a no-instance of II, then the probability that Vic accepts the proof is very small. 

We will restrict our attention to interactive proof systems in which the computations performed by Vic 
can be done in polynomial time. On the other hand, we do not place any bound on the computation time 
required by Peggy (informally, Peggy is "all-powerful"). 

We begin by presenting an interactive proof system for the problem of Graph Non-isomorphism. The 
Graph Isomorphism problem is described in Figure 13.1. This is an interesting problem since no 
polynomial-time algorithm to solve it is known, but it is not known to be NP-complete. 

We will present an interactive proof system which will allow Peggy to "prove" to Vic that two specified 
graphs are not isomorphic. For simplicity, let us suppose that G and G 2 each have vertex set {1, . .., n}. 

The interactive proof system for Graph Non-isomorphism is presented in Figure 13.2. 
We present a toy example. 
Example 13.1 

Suppose G = (V, E ) and G 2 = (V, E ), where V= {1,2,3, 4}, E = { 12, 14, 23, 34} and E 2 = { 12, 13, 
14, 34}. 

Suppose in some round of the protocol that Vic gives Peggy the graph H = (V, E^), where E3 = { 13, 14, 
23, 24} (see Figure 13.3). The graph H is isomorphic to Gl (one isomorphism from H to G J is the 
permutation (1 3 4 2)). So Peggy answers "1." 

It is easy to see that this proof system satisfies the completeness and soundness properties. If G^ is not 
isomorphic to G , then j will equal i in every round, and Vic will accept with probability 1 . Hence, the 
protocol is complete. 



— — ■ | Biunn^i 
I ^ j.h hn i 1 1 ■ i ru a i v i ■ w 4 

Figure 13.2 An interactive proof system for Graph Non-isomorphism 
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J 4 4* 

t 

Figure 13.3 Peggy's non-isomorphic graphs and Vic's challenge 

On the other hand, suppose that G is isomorphic to G . Then any challenge graph H submitted by Vic is 
isomorphic to both G and G . Peggy has no way of determining if Vic constructed H as an isomorphic 
copy of G or of G , so she can do no better than make a guess j = 1 or 2 for her response. The only way 
that Vic will accept is if Peggy is able to guess all n choices of i made by Vic. Her probability of doing 

n 

this is 2 . Hence, the protocol is sound. 

Notice that Vic's computations are all polynomial-time. We cannot say anything about Peggy's 
computation time since the Graph Isomorphism problem is not known to be solvable in polynomial 
time. However, recall that we assumed that Peggy has infinite computing power, so this is allowed under 
the "rules of the game." 
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1 3.2 Perfect Zero-knowledge Proofs 

Although interactive proof systems are of interest in their own right, the most interesting type of 
interactive proof is a zero-knowledge proof. This is one in which Peggy convinces Vic that x possesses 
some specified property, but at the end of the protocol, Vic still has no idea of how to prove (himself) 
that x has this property. This is a very tricky concept to define formally, and we present an example 
before attempting any definitions. 

In Figure 13.4, we present a zero-knowledge interactive proof for Graph Isomorphism. A small 
example will illustrate the workings of the protocol. 

Example 13.2 

Suppose G x = (V, E ) and G 2 = (V, E ), where V = { 1, 2, 3, 4}, El = { 12, 13, 14, 34} and E2 = { 12, 13, 
23, 24}. One isomorphism from to is the permutation o = (4 1 3 2). 

Now suppose in some round of the protocol that Peggy chooses the permutation je = (2 4 1 3). Then H 
has edge set { 12, 13, 23, 24} (see Figure 13.5). 

If Vic's challenge is i = 1, then Peggy gives Vic the permutation n and Vic checks that the image of G 
under 71 is H. If Vic's challenge is i = 2, then Peggy gives Vic the composition p = % 

p = a- o a — (3 2 1 4) G _ ( 3 2 1 4 ) and vic checks that the image of q under p is H 

Completeness and soundness of the protocol are easy to verify. It is easy to see that the probablity that 
Vic accepts is 1 if G is isomorphic to G . On the other hand, if G is not isomorphic to G^ then the only 

way for Peggy to deceive Vic is for her to correctly guess the value i that Vic will choose in each round, 
and write a (random) isomorphic copy of G, on the communication tape. Her probability of correctly 

n 

guessing Vic's n random challenges is 2 . 
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Figure 13.4 A perfect zero-knowledge interactive proof system for Graph Isomorphism 



Figure 13.5 Peggy's isomorphic graphs 

All of Vic's computations can be done in polynomial time (as a function of n, the number of vertices in 
G and G ). Although it is not necessary, notice that Peggy's computations can also be done in 

polynomial time provided that she knows the existence of one permutation a such that the image of G 2 

under a is G . 

Why would we refer to this proof system as a zero-knowledge proof? The reason is that, although Vic is 
convinced that G is isomorphic to G , he does not gain any "knowledge" that would help him find a 

permutation o that carries G^ to G . All he sees in each round of the proof is a random isomorphic copy 

H of the graphs G and G , together with a permutation that carries G to H or G 2 to H (but not both!). 

But Vic can compute random isomorphic copies of these graphs by himself, without any help from 
Peggy. Since the graphs H are chosen independently and at random in each round of the proof, it seems 
unlikely that this will help Vic find an isomorphism from G to G . 

Let us look carefully at the information that Vic obtains by participating in the interactive proof system. 
We can represent Vic's view of the interactive proof by means of a transcript that contains the following 
information: 

1. the graphs G and G^ 

2. all the messages that are transmitted by both Peggy and Vic 

3. the random numbers used by Vic to generate his challenges. 

Hence, a transcript T for the above interactive proof of Graph Isomorphism would have the following 
form: 

T = {{G\,Gi)\ (tfi>ii T Pi); . . - ; {H tli i n% p n )) . 

The essential point, which is the basis for the formal definition of zero-knowledge proof, is that Vic (or 
anyone else) can forge transcripts — without participating in the interactive proof — that "look like" 
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real transcripts. This can be done provided that the input graphs and G 2 are isomorphic. Forging is 

accomplished by means of the algorithm presented in Figure 13.6. The forging algorithm is a 
polynomial-time probabilistic algorithm. In the vernacular of zero-knowledge proofs, a forging 
algorithm is often called a simulator. 
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The fact that a simulator can forge transcripts has a very important consequence. Anything that Vic (or 
anyone else) can compute from the transcript could also be computed from a forged transcript. Hence, 
participating in the proof system does not increase Vic's ability to perform any computation; and in 
particular, it does not enable Vic himself to "prove" that G and G^ are isomorphic. Moreover, Vic 

cannot subsequently convince someone else that G^ and G 2 are isomorphic by showing them the 

transcript T, since there is no way to distinguish a legitimate transcript from one that has been forged. 



We still have to make precise the idea that a forged transcript "looks like" a real one. We give a rigorous 
definition in terms of probability distributions. 




Figure 13.6 Forging algorithm for transcripts for Graph Isomorphism 



DEFINITION 13.1 Suppose that we have a polynomial-time interactive proof system for a decision 
problem II, and a polynomial-time simulator S. Denote the set of all possible transcripts that could be 
produced as a result of Peggy and Vic carrying out the interactive proof with a yes-instance x by 

Tlx) 

, and denote the the set of all possible forged transcripts that could be produced by S by 
For any transcript T e T{x\ let p T {T) 

denote the probability that T is the transcript produced from 

the interactive proof Similarly, for 

T <E F{x\ let pAT) 

denote the probability that T is the (forged) 

transcript produced by S. Suppose that and for any J , suppose that 

Pt(T) - pAT). 

(In other words, the set of real transcripts is identical to the set of forged transcripts, 
and the two probability distributions are identical.) Then we define the interactive proof system to be 
perfect zero-knowledge for Vic. 



Of course we can define zero-knowledge however we like. But it is important that the definition captures 
our intuitive concept of what "zero-knowledge" should mean. We are saying that an interactive proof 
system is zero-knowlege for Vic if there exists a simulator that produces transcripts with an identical 
probability distribution to those produced when Vic actually takes part in the protocol. (This is a related 
but stronger concept than that of indistinguishable probability distributions that we studied in Chapter 
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12.) We have observed that a transcript contains all the information gained by Vic by taking part in the 
protocol. So it should seem reasonable to say that whatever Vic might be able to do after taking part in 
the protocol he could equally well do by just using the simulator to generate a forged transcript. We are 
perhaps not defining "knowledge" by this approach; but whatever "knowledge" might be, Vic doesn't 
gain any! 

We will now prove that the interactive proof system for Graph Isomorphism is perfect zero-knowledge 
for Vic. 

THEOREM 13.1 

The interactive proof system for Graph Isomorphism is perfect zero-knowledge for Vic. 

PROOF Suppose that and G 2 are isomorphic graphs on n vertices. A transcript T (real or forged) 

contains n triples of the form (H, i, p), where i = 1 or 2, p is a permutation of {1, ...,«}, and H is the 
image of G. under the permutation p. Call such a triple a valid triple and denote by JZ the set of all valid 

triples. We begin by computing , the number of valid triples. Evidently since each 

choice of i and p determines a unique graph H. 

In any given round, say j, of the forging algorithm, it is clear that each valid triple (H, i, p) occurs with 
equal probability 1/(2 x n\). What is the probability that the valid triple (H, i, p) is the jth triple on a real 
transcript? In the interactive proof system, Peggy first chooses a random permutation % and then 
computes H to be the image of G under 7L The permutation p is defined to be 71 if i = 1, and it is defined 

to be the composition of the two permutations 71 and p if i = 2. 

We are assuming that the value of i is chosen at random by Vic. If i = 1, then all n\ permutations p are 
equiprobable, since p = tc in this case and % was chosen to be a random permutation. On the other hand, 

O ^= 7T O fT 

if i = 2, then p = n * 1 p 5 where tc is random and o is fixed. In this case as well, every 

possible permutation p is equally probable. Now, since the two cases i = 1 and 2 are equally probable, 
and each permutation p is equally probable (independent of the value of i), and since i and p together 
determine H, it follows that all triples in are equally likely. 

Since a transcript consists of the concatenation of n independent random triples, it follows that 
for every possible transcript T. 
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The proof of Theorem 13.1 assumes that Vic follows the protocol when he takes part in the interactive 
proof system. The situation is much more subtle if Vic does not follow the protocol. Is it true that an 
interactive proof remains zero-knowledge even if Vic deviates from the protocol? 

In the case of Graph Isomorphism, the only way that Vic can deviate from the protocol is to choose his 
challenges i in a non-random way. Intuitively, it seems that this does not provide Vic with any 
"knowledge." However, transcripts produced by the simulator will not "look like" transcripts produced 
by Vic if he deviates from the protocol. For example, suppose Vic chooses i = 1 in every round of the 
proof. Then a transcript of the interactive proof will have i = 1 for 1 < j < n; whereas a transcript 

n 

produced by the simulator will have i. = 1 for 1 <j <n only with probability 2 . 

The way around this difficulty is to show that, no matter how a "cheating" Vic deviates from the 
protocol, there exists a polynomial-time simulator that will produce forged transcripts that "look like" 
the transcripts produced by Peggy and (the cheating) Vic during the interactive proof. As before, the 
phrase "looks like" is formalized by saying that two probability distributions are identical. 

Here is a more formal definition. 
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DEFINITION 13.2 Suppose that we have a polynomial-time interactive proof system for a given 
decision problem II. Let V* be any polynomial-time probabilistic algorithm that (a possibly cheating) 
verifier uses to generate his challenges. (That is, V* represents either an honest or cheating verifier.) 
Denote the set of all possible transcripts that could be produced as a result of Peggy and V* carrying 

out the interactive proof with a yes-instance x of II by Suppose that, for every such V* there 

exists an expected polynomial-time probabilistic algorithm S* = S*(V*) (the simulator) which will 

produce a forged transcript. Denote the set of possible forged transcripts by For any 

transcript denote the probability that T is the transcript produced by V* 

taking part in the interactive proof. Similarly, for denote the probability that T is 

the (forged) transcript produced by S*. Suppose that and for any 

, suppose thatV?,V'{T) = VT,V*{T). Then the interactive proof system is said to be 
perfect zero-knowledge (without qualification). 



In the special case where V* is the same as Vic (i.e., when Vic is honest), the above definition is exactly 
the same as what we defined as "perfect zero-knowledge for Vic." 



In order to prove that a proof system is perfect zero-knowledge, we need a generic transformation which 
will construct a simulator 5* from any V*. We proceed to do this for the proof system for Graph 
Isomorphism. The simulator will play the part of Peggy, using V* as a "restartable subroutine." 
Informally, S* tries to guess the challenge i that V* will make in each round j. That is, S* generates a 

random valid triple of the form (H., i ., p ), and then executes the algorithm V* to see what its challenge is 

J J j 

for round j. If the guess i. is the same as the challenge i' (as produced by V*), then the triple (H., i., p .) is 

appended to the forged transcript. If not, then this triple is discarded, S* guesses a new challenge i., and 

the algorithm V* is restarted after resetting its "state" to the way it was at the beginning of the current 
round. By the term "state" we mean the values of all variables used by the algorithm. 



We now give a more detailed description of the simulation algorithm S*. At any given time during the 
execution of the program V*, the current state of V* will be denoted by state(V*). A pseudo-code 
description of the simulation algorithm is given in Figure 13.7. 
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It is possible that the simulator will run forever, if it never happens that i. = i .. However, we can show 

that the average running time of the simulator is polynomial, and that the two probability distributions 
P?>V* (T) and PT,v(T} are identical. 



up. 



Figure 13.7 Forging algorithm for V* for transcripts for Graph Isomorphism 
THEOREM 13.2 

The interactive proof system for Graph Isomorphism is perfect zero-knowledge. 

PROOF First, we observe that, regardless of how V* generates its challenges, the probability that the 
guess i of S* is the same as the challenge i' is 1/2. Hence, on average, 5* will generate two triples for 

every triple that it concatenates to the forged transcript. Hence, the average running time is polynomial 
in n. 

The more difficult task is to show that the two probability distributions PF\V* I™) and VT,V are 
identical. In Theorem 13.1, where Vic was honest, we were able to compute the two probability 
distributions and see that they were identical. We also used the fact that triples (H, i, p) generated in 
different rounds of the proof are independent. However, in the current setting, we have no way of 
explicitly computing the two probability distributions. Further, triples generated in different rounds of 
the proof need not be independent. For example, the challenge that V* presents in round j may depend in 
some very complicated way on challenges from previous rounds and on the way Peggy replied to those 
challenges. 

The way to handle these difficulties is to look at the probability distributions on the possible partial 
transcripts during the course of the simulation or interactive proof, and proceed by induction on the 

number of rounds. For 0 < j < n, we define probability distributions 

Pry- 

*J and P^ W'rf on the set 

of partial transcripts *i that could occur at the end of round j. Notice that rT ( V * f n PT, V" and 

. Hence, if we can show that the two distributions * J and " * v -3 are 

identical for all j, then we will be done. 

The case j = 0 corresponds to the beginning of the algorithm; at this point the transcript contains only the 
two graphs G and G . Hence, the probability distributions are identical when j = 0. We use this for the 

start of the induction. 
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We make an inductive hypothesis that the two probability distributions PT,V m — l anc i PF t V* $ 
on 7i-l are identical, for some j > 1. We now prove that the two probability distributions Pl~,V w T j 
Pf >3 on *i are identical. 
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Consider what happens during round j of the interactive proof. The probability that V*'s challenge i, = 1 

is some real number p i and the probability that his challenge i. = 2 is 1 -p^ where depends on the 

state of the algorithm V* at the beginning of round j. We noted earlier that in the interactive proof, all 
possible graphs H are chosen by Peggy with equal probability. As well, any permutation p occurs with 
equal probability, independent of the value ofp , since all permutations are equally likely for either 

possible challenge i .. Hence, the probability that the jth triple on the transcript is (H, i, p) is p^/nl if i = 

1, and (1 - p )/n\ if i = 2. 

Next, let's do a similar analysis for the simulation. In any given iteration of the repeat loop, S* will 
choose any graph //with probability l/nl. The probability that i. = 1 and V*'s challenge is 1 is pJ2; and 

the probability that i = 2 and V*'s challenge is 2 is (1 - p^/2. In each of these situations, (//, i., p) is 

written as the jth triple on the transcript. With probability 1/2, nothing is written on the tape during any 
given iteration of the repeat loop. 

Let us first consider the case i.= 1. As mentioned above, the probability that V*'s challenge is 1 is p^ 

The probability that a triple (//, 1, p) is written as the jth triple on the transcript during the iteration 
of the repeat loop is 

Pi 



2 ( x n\ ' 

Hence, the probability that (//, 1, p) is the jth triple on the transcript is 

PL 



2 x n 



i( 1+ 5 + 5 + -) = S- 



The case i. = 2 is analyzed in a similar fashion: the probability that (//, 2, p) is written as the jth triple on 
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the transcript is (1 -p^/nl 

Hence, the two probability distributions on the partial transcripts at the end of round j are identical. By 

induction, the two probability distribution P? V* (T) and PT, v* {T) are identical, and the proof is 
complete. 

It is interesting also to look at the interactive proof system for Graph Non-isomorphism. It is not too 
difficult to prove that this proof is perfect zero-knowledge if Vic follows the protocol (i.e., if Vic 
chooses each challenge graph to be a random isomorphic copy of G. where i= 1 or 2 is chosen at 

random). Further, provided that Vic constructs each challenge graph by taking an isomorphic copy of 
either G or G , the protocol remains zero-knowledge even if Vic chooses his challenges in a non- 
random fashion. However, suppose that our ubiquitous troublemaker, Oscar, gives a graph H to Vic 
which is isomorphic to one of G or G , but Vic does not know which G. is isomorphic to H. If Vic uses 

this H as one of his challenge graphs in the interactive proof system, then Peggy will give Vic an 
isomorphism he didn't previously know, and (possibly) couldn't figure out for himself. In this situation, 
the proof system is (intuitively) not zero-knowledge, and it does not seem likely that a transcript could 
be forged by a simulator. 




Figure 13.8 A perfect zero-knowledge interactive proof system for Quadratic Residues 

It is possible to alter the proof of Graph Non-isomorphism so it is perfect zero-knowledge, but we will 
not go into the details. 

We now present some other examples of perfect zero-knowledge proofs. A perfect zero-knowledge 
proof for Quadratic Residues (modulo n = pq, where p and q are prime) is given in Figure 13.8. Peggy 
is proving that x is a quadratic residue. In each round, she generates a random quadratic residue y and 
sends it to Vic. Then, depending on Vic's challenge, Peggy either gives Vic a square root of y or a 
square root of xy. 

\r^^. W=^.J 
..■j-bi... | 

Figure 13.9 Subgroup Membership 

It is clear that the protocol is complete. To prove soundness, observe that if x is not a quadratic residue, 
then Peggy can answer only one of the two possible challenges since, in this case, y is a quadratic 
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residue if and only if xy is not a quadratic residue. So Peggy will be caught in any given round of the 
protocol with probability 1/2, and her probability of deceiving Vic in all log 2 n rounds is only 

2 'o«a n — ifn (The reason for having log 2 n rounds is that the size of the problem instance is 

proportional to the number of bits in the binary representation of n, which is log 2 n. Hence, the deception 

probability for Peggy is exponentially small as a function of the size of the problem instance, as in the 
zero-knowledge proof for Graph Isomorphism.) 

Perfect zero-knowledge for Vic can be shown in a similar manner as was done for Graph 
Isomorphism. Vic can generate a triple (y, i, z) by first choosing i and z, and then defining 

y — z 2 (x i )~ 1 mod n. 

Triples generated in this fashion have exactly the same probability distribution as those generated during 
the protocol, assuming Vic chooses his challenges at random. Perfect zero-knowledge (for an arbitrary 
V*) is proved by following the same strategy as for Graph Isomorphism. It requires building a 
simulator 5 1 * that guesses V*'s challenges and keeps only the triples where the guesses are correct. 

We now present one more example of a perfect zero-knowledge proof, this one for a decision problem 
related to the Discrete Logarithm problem. The problem, which we call Subgroup Membership, is 
defined in Figure 13.9. Of course, the integer k (if it exists) is just the discrete logarithm of (3. 

We present a perfect zero-knowledge proof for Subgroup Membership in Figure 13.10. The analysis of 
this protocol is similar to the others that we have looked at; the details are left to the reader. 




Figure 13.10 A perfect zero-knowledge interactive proof system for Subgroup Membership 
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13.3 Bit Commitments 

The zero-knowledge proof system for Graph Isomorphism is interesting, but it would be more useful 
to have zero-knowledge proof systems for problems that are known to be NP-complete. There is 
theoretical evidence that perfect zero-knowledge proofs do not exist for NP-complete problems. 
However, we can describe proof systems that attain a slightly weaker form of zero-knowledge called 
computational zero-knowledge. The actual proof systems are described in the next section; in this 
section we describe the technique of bit commitment that is an essential tool used in the proof system. 

Suppose Peggy writes a message on a piece of paper, and then places the message in a safe for which 
she knows the combination. Peggy then gives the safe to Vic. Even though Vic doesn't know what the 
message is until the safe is opened, we would agree that Peggy is committed to her message because she 
cannot change it. Further, Vic cannot learn what the message is (assuming he doesn't know the 
combination of the safe) unless Peggy opens the safe for him. (Recall that we used a similar analogy in 
Chapter 4 to describe the idea of a public-key cryptosystem, but in that case, it was the recipient of the 
message, Vic, who could open the safe.) 

Suppose the message is a bit b = 0 or 1, and Peggy encrypts b in some way. The encrypted form of b is 
sometimes called a blob and the encryption method is called a bit commitment scheme. In general, a bit 
commitment scheme will be a function/: {0, 1 } x X -> Y, where X and Fare finite sets. An encryption 
of b is any value f(b, x), x e X. We can informally define two properties that a bit commitment scheme 
should satisfy: 

concealing 

For a bit b = 0 or 1, Vic cannot determine the value of b from the blob f(b, x). 
binding 

Peggy can later "open" the blob, by revealing the value of x used to encrypt b, to convince Vic 
that b was the value encrypted. Peggy should not be able to open a blob as both a 0 and a 1 . 

If Peggy wants to commit any bitstring, she simply commits every bit independently. 

One way to perform bit commitment is to use the Goldwasser-Micali Probabilistic Cryptosystem 
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described in Section 12.4. Recall that in this system, n = pq, where p and q are primes, and m £ Q^^}. 
The integers n and m are public; the factorization n = pq is known only to Peggy. In our bit commitment 
scheme, we have X "= Y = S H anc j 

f[b,x) = m b x 2 mod n. 

Peggy encrypts a value b by choosing a random x and computing y =f(b, x); the value y comprises the 
blob. 

Later, when Peggy wants to open y, she reveals the values b and x. Then Vic can verify that 

y = m b x^ (mod n). 

Let us think about the concealing and binding properties. A blob is an encryption of 0 or of 1, and 
reveals no information about the plaintext value x provided that the Quadratic Residues problem is 
infeasible (we discussed this at length in Chapter 12). Hence, the scheme is concealing. 

Is the scheme binding? Let us suppose not; then 

mxi 2 = x 2 2 (mod n) 

for some £i i $2 € Z n *. But then 

m = (a^zi^ 1 ) 2 (mod n), 

which is a contradiction since m 

We will be using bit commitment schemes to construct zero-knowledge proofs. However, they have 
another nice application, to the problem of coin-flipping by telephone. Suppose Alice and Bob want to 
make some decision based on a random coin flip, but they are not in the same place. This means that it is 
impossible for one of them to flip a real coin and have the other verify it. A bit commitment scheme 
provides a way out of this dilemma. One of them, say Alice, chooses a random bit b, and computes a 
blob, y. She gives y to Bob. Now Bob guesses the value of b, and then Alice opens the blob to reveal b. 
The concealing property means that it is infeasible for Bob to compute b given y, and the binding 
property means that Alice can't "change her mind" after Bob reveals his guess. 

We now give another example of a bit commitment scheme, this time based on the Discrete Logarithm 
problem. Recall from Section 5.1.2 that if p = 3 (mod 4) is a prime such that the Discrete Logarithm 
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problem in is infeasible, then the second least significant bit of a discrete logarithm is secure. 
Actually, it has been proved for primes p = 3 (mod 4) that any Monte Carlo algorithm for the Second Bit 
problem having error probability 1/2 = e with e > 0 can be used to solve the Discrete Log problem in 

. This much stronger result is the basis for the bit commitment scheme. 

This bit commitment scheme will have X = {1, ...,/?- 1} and ^ ~ ^i 1 . The second least significant bit 
of an integer x, denoted by SLB(%), is defined as follows: 



ei t>(„\ / 0 if x = o, l 
SLB ^ = \ 1 if* = 2,3 



(mod 4) 
= 2,3 (mod 4) 



The bit commitment scheme /is defined by 



tth \ - f a * m0 ^P if SLB(x) — b 
/l * X) " \ a?-* mod ;> ifSLBOz)?^. 

In other words, a bit b is encrypted by choosing a random element having second last bit b, and raising oc 
to that power modulo p. (Note that SLB(p - x) SLB (x) since p = 3 (mod 4).) 

The scheme is binding, and by the remarks made above, it is concealing provided that the Discrete 
Logarithm problem in is infeasible. 
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13.4 Computational Zero-knowledge Proofs 

In this section, we give a zero-knowledge proof system for the NP-complete decision problem Graph 3- 
Colorability, which is defined in Figure 13.11. The proof system uses a bit commitment scheme; to be 
specific, we will employ the bit commitment scheme presented in Section 13.3 that is based on 
probabilistic encryption. We assume that Peggy knows a 3-coloring <j) of a graph G, and she wants to 
convince Vic that G is 3-colorable in a zero-knowledge fashion. Without loss of generality, we assume 
that G has vertex set V= {1, n}. Denote m = \E\. The proof system will be described in terms of a 
commitment scheme/: {0, IJjcI^ Y which is made public. Since we want to encrypt a color rather 
than a bit, we will replace the color 1 by the two bits 01, the color 2 by 10 and the color 3 by 1 1. Then 
we encrypt each of the two bits representing the color by using/. 

I— 1 



Figure 13.11 Graph 3-Colorability 

The interactive proof system is presented in Figure 13.12. Informally, what happens is the following. In 
each round, Peggy commits a coloring that is a permutation of the fixed coloring Vic requests that 
Peggy open the blobs corresponding to the endpoints of some randomly chosen edge. Peggy does so, 
and then Vic checks that the commitments are as claimed and that the two colors are different. Notice 
that all Vic's computations are polynomial-time, and so are Peggy's, provided that she knows the 
existence of one 3-coloring <j). 

Here is a very small example to illustrate. 

Example 13.3 

Suppose G is the graph (V, E), where 

V = {1,2,3,4,5} 

and 
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E- {12,14,15,23,34,45}. 



Suppose that Peggy knows the 3-coloring § where (f)(1) = 1, <|)(2) = (f)(4) = 2 and (|)(3) = <|)(5) = 3. Suppose 

b 2 

also that the bit commitment scheme is defined asf(b, x) = 156897 x mod 321389, where b = 0, 1 and 

Suppose that Peggy chooses the permutation 7t = (1 3 2) in some round of the proof. Then she computes: 

Ci = 1 



. — 



l^^j it, i M 



f*-.- ■■.■j • ■ i 



Figure 13.12 A computational zero-knowledge interactive proof system for Graph 3-colorability 



C2 = 3 

c 3 = 2 

C4 = 3 

C5 — 2, 



She will encode this coloring in binary as the 10-tuple 



0111101110 



and then compute commitments of these ten bits. Suppose that she does this as follows: 
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b 


X 


/(M) 


0 ' 


147653 


176593 


1 


318856 


205585 


1 


14497 


189102 


1 


285764 


294039 


1 


128589 


230968 


0 


228569 


77477 


1 


53369 


305090 


1 


194634 


276484 


1 


202445 


292707 


0 


177561 


290599 



Then Peggy gives Vic the ten values f(b, x) computed above. 

Next, suppose that Vic chooses the edge 34 as his challenge. Then Peggy opens four blobs: the two that 
correspond to vertex 3 and the two that correspond to vertex 4. So Peggy gives Vic the ordered pairs 

(&,*) = (1,128589), (0,228569), (1,53369), (1,194634). 

Vic will first check that the two colors are distinct: 10 encodes color 2 and 1 1 encodes color 3, so this is 
all right. Next, Vic verifies that the four commitments are valid and hence this round of the proof is 
completed successfully. 

As in previous proof systems we have studied, Vic will accept a valid proof with probability 1, so we 
have completeness. What is the probability that Vic will accept if G is not 3-colorable? In this case, for 
any coloring, there must be at least one edge ij such that i and j have the same color. Vic's chances of 

choosing such an edge are at least 1/m. Peggy's probability of fooling Vic in all m rounds is at most 




Since (1 - l/m)m e asm °o, there exists an integer m Q such that (1 - 1/m) < lie for m > m . Hence 

(1 - 1/m)* 1 < (2/e) 1 * for m > mo Since (2/e) m approaches zero exponentially quickly as a function of 
m = \E\, we have soundness as well. 



file:///DIMy%20Files/eBooks/_Government%20Publicatio...ptography%20Theory%20and%20Practice/chl3/400-405.html (3 of 5)12/6/2003 9:20:58 AM 



Cryptography: Theory and Practice:Zero-knowledge Proofs 



Let's now turn to the zero-knowledge aspect of the proof system. All that Vic sees in any given round of 
the protocol is an encrypted 3 -colouring of G, together with the two distinct colours of the endpoints of 
one particular edge, as previously committed by Peggy. Since the colors are permuted in each round, it 
seems that Vic cannot combine information from different rounds to reconstruct the 3-coloring. 

The proof system is not perfect zero-knowledge, but it does provide a weaker form of zero-knowledge 
called computational zero-knowledge. Computational zero-knowledge is defined exactly as perfect zero- 
knowledge, except that the relevant probability distributions of transcripts are required only to be 
polynomially indistinguishable (in the sense of Chapter 12) rather than identical. 

We begin by showing how transcripts can be forged. We give an explicit algorithm that will forge 
transcripts that cannot be distinguished from those produced by an honest Vic. If Vic deviates from the 
protocol, then it is possible to construct a simulator which uses the algorithm V* as a restartable 
subroutine to construct forged transcripts. Both forging algorithms follow the pattern of the related 
algorithms for the Graph Isomorphism proof system. 

Here, we consider only the case where Vic follows the protocol. A transcript T for the interactive proof 
of Graph 3-colorability would have the form 

{G\A X \... ;A m 2) , 

where A. consists of 2n blobs computed by Peggy, the edge uv chosen by Vic, the colors assigned by 

Peggy in round j to u and v, and the four random numbers used by Peggy to encrypt the colors of these 
two vertices. A transcript is forged by means of the forging algorithm presented in Figure 13.13. 

Proving (computational) zero-knowledge for Vic requires showing that the two probability distributions 
on transcripts (as produced by the Vic taking part in the protocol, and as produced by the simulator) are 
indistinguishable. We will not do this here, but we will make a couple of comments. Notice that the two 
probability distributions are not identical. This is because virtually all the R 's in a forged transcript are 

blobs encrypting 1; whereas the /?..'sona real transcript will (usually) be encryptions of more equal 

y 

numbers of O's and l's. However, it is possible to show that the two probability distributions cannot be 
distinguished in polynomial time, provided that the underlying bit commitment scheme is secure. More 
precisely, this means that the probability distribution on blobs encrypting color c are indistinguishable 
from the probability distribution on blobs encrypting color d if c # d. 

Readers familiar with NP-completeness theory will realize that, having given a zero-knowledge proof 
for one particular NP-complete problem, we can obtain a zero-knowledge proof for any other problem in 
NP. This can be done by applying a polynomial transformation from a given problem in NP to the 
Graph 3-coloring problem. 
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Figure 13.13 Forging algorithm for transcripts for Graph 3-colorability 
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13.5 Zero-knowledge Arguments 

Let us recap the basic properties of the computational zero-knowledge proof for Graph 3-colorability 
presented in the last section. No assumptions are needed to prove completeness and soundness of the 
protocol. A computational assumption is needed to prove zero-knowledge, namely that the underlying 
bit commitment scheme is secure. Observe that if Peggy and Vic take part in the protocol, then Vic may 
later try to break the bit commitment scheme that was used in the protocol (for example, if the scheme 
based on quadratic residuosity were used, then Vic would try to factor the modulus). If at any future 
time Vic can break the bit commitment scheme, then he can decrypt the blobs used by Peggy in the 
protocol and extract the 3 -coloring. 

This analysis depends on the properties of the blobs that were used in the protocol. Although the binding 
property of the blobs is unconditional, the concealing property relies on a computational assumption. 

An interesting variation is to use blobs in which the concealing property is unconditional but the binding 
property requires a computational assumption. This leads to a protocol that is known as a zero- 
knowledge argument rather than a zero-knowledge proof. The reader will recall that we have assumed 
up until now that Peggy is all-powerful; in a zero-knowledge argument we will assume that Peggy's 
computations are required to be polynomial-time. (In fact, this assumption creates no difficulties, for we 
have already observed that Peggy's computations are polynomial-time provided she knows one 3- 
coloring of G.) 

Let us begin by describing a couple of bit commitment schemes of this type and then examine the 
ramifications of using them in the protocol for Graph 3-coloring. 

The first scheme is (again) based on the Quadratic Residues problem. Suppose n = pq, where p and q 
are prime, and let m g QR(«) (note that in the previous scheme m was a pseudo-square). In this scheme 
neither the factorization of n nor the square root of m should be known to Peggy. So either Vic should 
construct these values or they should be obtained from a (trusted) third party. 

Let % ~ and Y = QR(«), and define 
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f{b, x) — m¥ mod n. 

As before, Peggy encrypts a value b by choosing a random x and computing the blob y =f(b, x). In this 
scheme all the blobs are quadratic residues. Further, any y e QR(«) is both an encryption of 0 and an 

2 2 

encryption of 1 . For suppose y = x mod n and m = k mod n. Then 

y = fiOjX) = f(l y xk~ l mod n}. 

This means that the concealing property is achieved unconditionally. On the other hand, what happens to 
the binding property? Peggy can open any given blob both as a 0 and as a 1 if and only if she can 
compute k, a square root of m. So, in order for the scheme to be (computationally) binding, we need to 
make the assumption that it is infeasible for Peggy to compute a square root of m. (If Peggy were all- 
powerful, then she could, of course, do this. This is one reason why we are now assuming that Peggy is 
computationally bounded.) 

As a second bit commitment scheme of this type, we give an example of a scheme based on the Discrete 
Logarithm problem. Let p be a prime such that the discrete log problem in is infeasible, let a be a 
primitive element of ^P and let 0 € Z p ^he va i ue 0 f p should be chosen by Vic, or by a trusted third 
party, rather than by Peggy. This scheme will have ^ = r T - >P~ ^J* ^ — , and/is defined by 

f(b, x) = 0 b a* mod p. 

It is not hard to see that this scheme is unconditionally concealing, and it is binding if and only if it is 
infeasible for Peggy to compute the discrete logarithm log^ (3. 

Now, suppose we use one of these two bit commitment schemes in the protocol for Graph 3- 
colorability. It is easy to see that the protocol remains complete. But now the soundness condition 
depends on a computational assumption: the protocol is sound if and only if the bit commitment scheme 
is binding. What happens to the zero-knowledge aspect of the protocol? Because the bit commitment 
scheme is unconditionally concealing, the protocol is now perfect zero-knowledge rather than just 
computational zero-knowledge. Thus we have a perfect zero-knowledge argument. 

Table 13.1Comparison of Properties of Proofs and Arguments 



property zero-knowledge proof zero-knowledge argument 

completeness unconditional unconditional 

soundness unconditional computational 
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zero-knowledge computational perfect 

binding blobs unconditional computational 

concealing blobs computational unconditional 



Whether one prefers an argument to a proof depends on the application, and whether one wants to make 
a computational assumption regarding Peggy or Vic. A comparison of the properties of proofs and 
arguments is summarized in Table 13.1. In the column "zero-knowledge proof," the computational 
assumptions pertain to Peggy's computing power; in the column "zero-knowledge argument," the 
computational assumptions refer to Vic's computing power. 

1 3.6 Notes and References 

Most of the material in this chapter is based on Brassard, Chaum, and Crepeau [BCC88] and on 
Goldreich, Micali, and Wigderson [GMW91]. The bit commitment schemes we present, and a thorough 
discussion of the differences between proofs and arguments, can be found in [BCC88] (however, note 
that the term "argument" was first used in [BC90]). Zero-knowledge proofs for Graph Isomorphism, 
Graph Non-isomorphism and Graph 3-colorability can be found in [GMW91]. Another relevant 
paper is Goldwasser, Micali, and Rackoff [GMR89], in which interactive proof systems are first defined 
formally. The zero-knowledge proof for Quadratic Residues is from this paper. 

The idea of coin-flipping by telephone is due to Blum [BL82]. 

A very informal and entertaining illustration of the concept of zero-knowledge is presented by 
Quisquater and Guillou [QG90]. Also, see Johnson [J088] for a more mathematical survey of interactive 
proof systems. 




Figure 13.14 An interactive proof system for Quadratic Non-residues 
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Exercises 

13.1 Consider the interactive proof system for the problem Quadratic Non-residues presented 
in Figure 13.14. Prove that the system is sound and complete, and explain why the protocol is not 
zero-knowledge. 

13.2 Devise an interactive proof system for the problem Subgroup Non-membership. Prove 
that your protocol is sound and complete. 

13.3 Consider the zero-knowledge proof for Quadratic Residues that was presented in Figure 
13.8. 

(a) Define a valid triple to be one having the form (y, i, z), where y e QR(n), i = 0 or 1, 

Z G and z 2 = x l y (mod n). Show that the number of valid triples is 2(p - \){q - 1), 
and each such triple is generated with equal probability if Peggy and Vic follow the 
protocol. 

(b) Show that Vic can generate triples having the same probability distribution without 
knowing the factorization n = pq. 

(c) Prove that the protocol is perfect zero-knowledge for Vic. 

13.4 Consider the zero-knowledge proof for Subgroup Membership that was presented in 
Figure 13.10. 

(a) Prove that the protocol is sound and complete. 

(b) Define a valid triple to be one having the form (y, i, h), where T ^ ^ , i = 0 or 1 , 0 
<h<0 ^ h *C t 1-1 and cn h = (3 y (mod n). Show that the number of valid triples 

is , and each such triple is generated with equal probability if Peggy and Vic follow the 
protocol. 

(c) Show that Vic can generate triples having the same probability distribution without 
knowing the discrete logarithm log^ (3. 

(d) Prove that the protocol is perfect zero-knowledge for Vic. 

13.5 Prove that the Discrete Logarithm bit commitment scheme presented in Section 13.5 is 
unconditionally concealing, and prove that it is binding if and only if Peggy cannot compute log^ 
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13.6 Suppose we use the Quadratic Residues bit commitment scheme presented in Section 13.5 
to obtain a zero-knowledge argument for Graph 3-coloring. Using the forging algorithm 
presented in Figure 13.13, prove that this protocol is perfect zero-knowledge for Vic. 
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Further Reading 



Other recommended textbooks and monographs on cryptography include the following: 



Beker and Piper [BP82] 
Brassard [Br88] 
Denning [De82] 

Kaufman, Perlman and Speciner [KPS95] 

Konheim [K08I] 

Menezes [Me93] 

Patterson [Pa87] 

Rhee [Rh94] 

Salomaa [Sa90] 

Seberry and Pieprzyk [SP89] 

Stallings [St95] 

Wayner [Wa96] 



Beutelspacher [Be94] 
Biham and Shamir [BS93] 
Kahn [Ka67] 
Koblitz [Ko94] 
Kranakis [Kr86] 
Meyer and Maty as [MM82] 
Pomerance [Po90a] 
Rueppel [Ru86] 
Schneier [Sc95] 
Simmons [Si92b] 
van Tilborg [vT88] 
Welsh [We88] 



For a thorough and highly recommended reference on all aspects of practical cryptogrpahy, see 
Menezes, Van Oorschot and Vanstone [MVV96] . 

The main research journals in cryptography are the Journal of Cryptology, Designs, Codes and 
Cryptography and Cryptologia. The Journal of Cryptology is the journal of the International Association 
for Cryptologic Research (or IACR) which also sponsors the two main annual cryptology conferences, 
CRYPTO and EUROCRYPT. 

CRYPTO has been held since 1981 in Santa Barabara. The proceedings of CRYPTO have been 
published annually since 1982: 



CRYPTO '82 [CRS83] 



CRYPTO '83 [Ch84] 
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CRYPTO '84 [BC85] 
CRYPTO '86 [Od87] 
CRYPTO '88 [Go90] 
CRYPTO '90 [MV91] 
CRYPTO '92 [Br93] 
CRYPTO '94 [De94] 
CRYPTO '96 [Ko96] 



CRYPTO '85 [Wi86] 
CRYPTO '87 [Po88] 
CRYPTO '89 [Br90] 
CRYPTO '91 [Fe92] 
CRYPTO '93 [St94] 
CRYPTO '95 [Co95] 



EUROCRYPT has been held annually since 1982, and except for 1983 and 1986, its proceedings have 
been published, as follows: 



EUROCRYPT '82 [Be83] 
EUROCRYPT '85 [Pi86] 
EUROCRYPT '88 [Gu88a] 
EUROCRYPT '90 [Da91] 
EUROCRYPT '92 [Ru93] 
EUROCRYPT '94 [De95] 
EUROCRYPT '96 [Ma96] 



EUROCRYPT '84 [BCI85] 
EUROCRYPT '87 [CP88] 
EUROCRYPT '89 [QV90] 
EUROCRYPT '91 [Da91a] 
EUROCRYPT '93 [He94] 
EUROCRYPT '95 [GQ95] 



A third conference series, AUSCRYPT/ASIACRYPT, has been held "in association with" the IACR. Its 
conference proceedings have also been published: 

AUSCRYPT '90 [SP90] ASIACRYPT '91 [IRM93] 

AUSCRYPT '92 [SZ92] ASIACRYPT '94 [PS95] 
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binomial coefficient, 31 

birthday paradox, 236 

bit commitment scheme, 399, 398-401, 405-407 
blob, 399 
block cipher, 20 

Blom Key Predistribution Scheme, 261, 260-263 
Blum-Blum-Shub Generator, 371, 370-377, 379 
Blum-Goldwasser Cryptosystem, 380, 379-382 
boolean circuit, 333 

fan-in, 333 
fan-out, 333 
monotone, 333 

boolean formula, 333 

conjunctive normal form, 337 
disjunctive normal form, 334 

Bos-Chaum Signature Scheme, 216, 215-217 
Brickell Secret Sharing Scheme, 344, 343-348 

Caesar Cipher, 4 
certificate, 264 
challenge, 385 

challenge-and-response protocol, 217, 283, 385 
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Chaum-van Antwerpen Signature Scheme, 218, 217-223 

Chaum-van Heijst-Pfitzmann hash function, 238, 238-241 

Chinese remainder theorem, 122, 119-122, 142, 166, 380 

Chor-Rivest Cryptosystem, 115 

chosen ciphertext cryptanalysis, 25 

chosen plaintext cryptanalysis, 25 

cipher 

block, 20 

stream, 20, 20-24, 360 

cipher block chaining mode, 83, 83, 267 
cipher feedback mode, 83, 85 
ciphertext, 1, 20, 378 
ciphertext-only cryptanalysis, 25 
closure, 332 
closure property, 3 
code, 194 

distance of, 194 
dual code, 194 
generating matrix, 194 
Goppa code, 195 
Hamming code, 196 
nearest neighbor decoding, 194 
parity-check matrix, 194 
syndrome, 194 
syndrome decoding, 195 

coin-flipping by telephone, 400 
commutative cryptosystems, 66 
commutative property, 3 
complete graph, 346 

complete multipartite graph, 346, 352, 353 
completeness, 286, 386 
Composites, 129, 130 
computational security, 44 
concave function, 56 

strictly, 56 

concealing, 399 
conditional entropy, 59 
conditional probability, 45 
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congruence, 3 

conjunctive normal form boolean formula, 337 
cryptanalysis, 6 

chosen ciphertext, 25 
chosen plaintext, 25 
ciphertext-only, 25 
known-plaintext, 25 

cryptogram, 7 
cryptosystem, 1 

endomorphic, 64 
idempotent, 66 
iterated, 66 
monoalphabetic, 12 
polyalphabetic, 13 
private-key, 114 
probabilistic public-key, 378 
product, 64, 64-67 
public-key, 114 

cyclic group, 123, 183, 187 

Data Encryption Standard, 51, 70 

description of, 70-78 

differential cryptanalysis of, 89, 89-104 

dual keys, 110 

exhaustive key search, 82 

expansion function, 71, 73 

initial permutation, 70, 73 

key schedule, 71, 75-78 

modes of operation, 83, 83-86 

S-boxes, 72, 73-75, 82 

time-memory tradeoff, 86, 86-89 

dealer, 326 

deception probability, 305 

decision problem, 129, 190 

decomposition construction, 354, 355, 353-357 

decryption rule, 1, 21, 378 

determinant, 16 

deterministic algorithm, 129 
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differential cryptanalysis, 89 



characteristic, 98 
filtering operation, 101 
input x-or, 89 
output x-or, 89 
right pair, 100 
wrong pair, 100 

Diffie-Hellman Key Exchange, 270, 270-271 
Diffie-Hellman Key Predistribution Scheme, 265, 263-267 
Diffie-Hellman problem, 266, 265-267, 275 
Digital Signature Standard, 205, 211, 209-213 
digram, 25 

disavowal protocol, 217 

Discrete Logarithm Generator, 383 

Discrete Logarithm problem, 162, 163, 164-177, 206, 207, 210, 238, 263, 266, 276, 287, 290, 
362, 397, 400, 406 

bit security of, 172-177, 400 
elliptic curve, 187 
generalized, 177, 177-180 
in Galois fields, 183 
index calculus method, 170-172 
ith Bit problem, 173 

Pohlig-Hellman algorithm, 169, 166-170 
Shanks' algorithm, 165, 165-166 

disjunctive normal form boolean formula, 334 
distinguishable probability distributions, 364 
distinguisher, 364 
distribution rule, 338 
distributive property, 4 

electronic codebook mode, 83, 83 

ElGamal Cryptosystem, 115, 163, 162-164, 266-267 

elliptic curve, 187-190 
generalized, 178, 177-178 

ElGamal Signature Scheme, 205, 205-209 
elliptic curve, 183, 183-187 

point at infinity, 183 
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Elliptic Curve Cryptosystem, 115, 187-190 
encryption matrix, 47 
encryption rule, 1, 21, 378 
endomorphic cryptosystem, 64 
entropy, 52, 51-52 

conditional, 59 

of a natural language, 61 

of a secret sharing scheme, 349-352 

of authentication code, 321-323 

properties of, 56-59, 349 

Euclidean algorithm, 116-120, 140, 179, 181 

extended, 117, 119 
running time of, 128 

Euler phi-function, 9 
Euler pseudo-prime, 132 
Euler' s criterion, 130, 131, 173 
exclusive-or, 21 
exhaustive key search, 6, 13 

ofDES, 82 

factor base, 171 
factoring, 150-156 

factor base, 153 

number field sieve, 155 

p - 1 algorithm, 151, 151-152 

quadratic sieve, 154 

trial division, 150 

fan-in, 333 
fan-out, 333 

Fermat's theorem, 122, 137 
Fibonacci number, 128 
field, 10, 181 
forging algorithm, 390 

for Graph 3-colorability, 405 
for Graph Isomorphism, 391, 394 
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Galois field, 180-183 

Girault Key Agreement Scheme, 278, 276-279 
Goldwasser-Micali Cryptosystem, 379, 378-379, 399 
graph, 346 

complete, 346 

complete multipartite, 346, 352, 353 
induced subgraph, 352 
isomorphic, 386 
proper 3 -coloring, 401 

Graph 3-colorability, 401 

Graph 3-colorability Interactive Proof System, 402, 400-404, 406-407 
Graph Isomorphism, 386 

Graph Isomorphism Interactive Proof System, 389, 388-395 
Graph Non-isomorphism, 386 

Graph Non-isomorphism Interactive Proof System, 387, 386-388, 395-396 
group, 4 

abelian, 4, 116, 184 
cyclic, 123, 183, 187 
order of element in, 122 

Guillou-Quisquater Identification Scheme, 296, 295-299 

identity-based, 300 

Hamming distance, 194 

hash function, 203, 232, 232-254 

birthday attack, 236-237 

collision-free, 233-236 

constructed from a cryptosystem, 246 

extending, 241-246 

one-way, 234 

strongly collision-free, 233 

weakly collision-free, 233 

Hill Cipher, 13-17, 18 

cryptanalysis of, 36-37 

Huffman encoding, 53-56 
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Huffman's algorithm, 55 

ideal decomposition, 353 

ideal secret sharing scheme, 343, 344, 346-348 

idempotent cryptosystem, 66 

identification scheme, 282-300 

converted to signature scheme, 300 
identity-based, 299, 299 

identity matrix, 14 
impersonation, 305 
implicit key authentication, 276, 278 
independent random variables, 45 
index of coincidence, 31 

mutual, 33 

indistinguishable probability distributions, 363-370, 378, 404 
induced subgraph, 352 
information rate, 342 

monotone circuit construction, 343 

injective function, 2 
interactive argument 

perfect zero-knowledge, 407 
zero-knowledge, 406, 405-407 

interactive proof, 385, 385-397 

computational zero-knowledge, 398, 404, 400-404 
perfect zero-knowledge, 393, 388-397 
perfect zero-knowledge for Vic, 391 
zero-knowledge, 385 

intruder-in-the-middle attack, 271, 305 
inverse matrix, 15 
inverse permutation, 7 
isomorphic graphs, 386 
iterated cryptosystem, 66 

Jacobi symbol, 132, 132-134, 370, 379 
Jensen's Inequality, 56, 63, 316 
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joint probability, 45 

Kasiski test, 31 
Kerberos, 268, 267-270 

key lifetime, 268 
session key, 267 
timestamp, 268 

Kerckhoff's principle, 24 
key, 1, 20, 203, 305, 326, 378 
key agreement, 258 

authenticated, 271 

key confirmation, 269 
key distribution, 258 

on-line, 259 

key equivocation, 59 

key freshness, 267 

key predistribution, 259, 260-267 

key server, 259 

keystream, 20 

keystream alphabet, 21 

keystream generator, 21 

keyword, 12 

known-plaintext cryptanalysis, 25 

Lagrange interpolation formula, 329, 329-330 

Lagrange's theorem, 122 

Lame's theorem, 128 

Lamport Signature Scheme, 213, 213-215 

Las Vegas algorithm, 139, 171, 234 

Legendre symbol, 131, 131-132 

Linear Congruential Generator, 360, 360 

linear feedback shift register, 22, 360, 362 

linear recurrence, 21 

linear transformation, 14 

m-gram Substitution Cipher, 68 
matrix product, 14 

McEliece Cryptosystem, 115, 196, 193-198 
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MD4 Hash Function, 248, 247-250 
MD5 Hash Function, 247, 250 
memoryless source, 53 

Menezes-Vanstone Crypto system, 189, 188-190 
Merkle-Hellman Cryptosystem, 115, 193, 190-193 
message, 203, 305 

message authentication code, 86, 304 
message digest, 232 

Miller-Rabin algorithm, 129, 130, 137, 136-138 

error probability of, 138 

mod operator, 3 

modular exponentiation, 127 

square-and-multiply algorithm, 127, 127, 131 

modular multiplication, 126 
modular reduction, 3 
modulus, 3 

monoalphabetic cryptosystem, 12 

monotone circuit, 333 

monotone circuit construction, 333, 335 

information rate, 343 

monotone property, 332 

Monte Carlo algorithm, 129, 129, 374 

error probability of, 129 
no-biased, 129 
unbiased, 374, 374-377 
yes-biased, 129 

MTI Key Agreement Protocol, 274, 273-276 
Multiplicative Cipher, 65, 65 
multiplicative identity, 4 
multiplicative inverse, 10 
mutual index of coincidence, 33 

next bit predictor, 365-370 

NP-complete problem, 44, 191, 193, 400, 404 

Okamoto Identification Scheme, 291, 290-295 
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One-time Pad, 50, 50 

one-way function, 116, 213, 234 

trapdoor, 116 

oracle, 139 

orthogonal array, 314, 313-320 

bounds, 315-318 
constructions, 318-319 

output feedback mode, 83, 85, 362 

passive adversary, 258 

perfect secrecy, 48, 44-5 1 

perfect secret sharing scheme, 332, 339, 349 

periodic stream cipher, 21 

permutation, 2 

Permutation Cipher, 18, 17-20 
permutation matrix, 19 
plaintext, 1, 20, 378 
polyalphabetic cryptosystem, 13 
polynomial 

congruence of, 180 
degree of, 180 
division, 180 
irreducible, 181 
modular reduction of, 181 

polynomial equivalence, 126 
prefix-free encoding, 54 
previous bit predictor, 373 
primality testing, 129-138 
prime, 9 

Prime number theorem, 129, 135 
primitive element, 123 
principal square root, 373, 379 
private-key cryptosystem, 114 
probabilistic algorithm, 129 
probabilistic encryption, 377-382 
probabilistic public-key cryptosystem, 378 
probability, 45 
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conditional, 45 
joint, 45 

product crypto system, 64, 64-67 
proof of forgery algorithm, 224 
proof of knowledge, 285 
proper 3-coloring, 401 
protocol failure, 156, 158, 208 
prover, 385 

pseudo-random bit generator, 359, 359-377 
pseudo-square, 370 
public-key cryptosystem, 114 

probabilistic, 378 
quadratic non-residue, 130 

Quadratic Non-residues Interactive Proof System, 408 
quadratic reciprocity, 132 
quadratic residue, 130 

Quadratic Residues, 130, 130, 371, 370-371, 374, 375, 377, 396, 399, 406 
Quadratic Residues Interactive Proof System, 396, 396-397 

Rabin Cryptosystem, 147, 145-150 

security of, 149-150 
rank, 226 

redundancy of a natural language, 61 

reject, 385 

relative shift, 33 

relatively prime, 9 

replay attack, 269 

response, 385 

ring, 4, 180 

round, 385 

RSA Cryptosystem, 114, 124, 124 

attacks on, 138-145 
bit security of, 144-145 
implementation of, 125-128 

RSA Generator, 362, 362-363 
RSA Signature Scheme, 203, 204 



file:///DIMy%20Files/eBooks/_Government%20Publicati...yptography%20Theory%20and%20Practice/book-index.html (12 of 15)12/6/2003 9:21:35 AM 



Cryptography: Theory and Practice:Index 



Schnorr Identification Scheme, 286, 284-289, 295 

Schnorr Signature Scheme, 301 

search problem, 190 

secret sharing scheme, 326-357 

decomposition construction, 353-357 
ideal, 343, 344, 346-348 
information rate, 342, 341-343, 349-355 
monotone circuit construction, 333-338 
threshold scheme, 326-331 

Secure Hash Standard, 247, 250-252 
security parameter, 284, 378 
seed, 359 

self-certifying public key, 276 
session key, 259 

Shamir Threshold Scheme, 327, 327-330, 343, 346 

share, 326 

Shift Cipher, 4, 3-7 

Shrinking Generator, 362 

signature, 203 

signature scheme, 203, 202-229 

constructed from identification 
scheme, 300 
fail-stop, 224-229 
one-time, 213-217, 228 
undeniable, 217-223 

signing algorithm, 203 
simulator, 390 

Solovay-Strassen algorithm, 133, 129-136 

error probability, 136, 134-136 

soundness, 288, 386 
source state, 304 
Sperner property, 215 
spurious keys, 61, 59-64 

expected number of, 63 

square-and-multiply algorithm, 127, 127, 131 
Station-to-station Protocol, 272, 271-273 
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Stirling's formula, 68, 216 
stream cipher, 20, 20-24, 360 

cryptanalysis of, 37 
synchronous, 21, 85 

Subgroup Membership, 397 

Subgroup Membership Interactive Proof System, 398 
Subset Sum problem, 190, 190-191 

modular transformation, 192 
superincreasing, 191 

substitution, 305 
Substitution Cipher, 7, 7, 7-8 

cryptanalysis of, 27-3 1 
m-gram, 68 

synchronous stream cipher, 21, 85 

threshold scheme, 326, 326-331 

timestamping, 252-254 

transcript, 390 

Transposition Cipher, 17 

trapdoor, 116 

trigram, 25 

trusted authority, 258 

unconditional security, 45 
unicity distance, 63, 59-64 

van Heyst-Pedersen Signature Scheme, 225, 224-229 
Vandermonde matrix, 329 

determinant of, 329 

verification algorithm, 203 
verifier, 385 

Vernam One-time Pad, 50, 50 
Vigenere Cipher, 12, 12-13, 40 

cryptanalysis of, 31-36 
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zero-knowledge interactive argument, 406, 405-407 

perfect, 407 

zero-knowledge interactive proof, 385 

computational, 398, 404, 400-404 
perfect, 393, 388-397 
perfect, for Vic, 391 

Table of Contents 
Copyright © CRC Press LLC 



file:///DIMy%20Files/eBooks/_Government%20Publicati...yptogl■aphy%20Theory%20and%20Practice^ook-index.html (15 of 15)12/6/2003 9:21:35 AM 



